This paper surveys common attack techniques, defensive mitigations, and secure administration practices related to phpMyAdmin — a widely used web-based MySQL/MariaDB administration tool. It aims to help system administrators, security engineers, and auditors understand typical threat vectors, exploit patterns, detection strategies, and hardening recommendations. The focus is on pragmatic, ethical guidance for securing deployments and auditing risk; offensive techniques are described at a high level to inform defenses only.
| Username | Password | |----------|----------| | root | root | | root | (blank) | | root | toor | | admin | admin | | pma | pmapass | | mysql | mysql | | user | user | phpmyadmin hacktricks
7.2. Authentication & Access Control
General Log Manipulation: By enabling the general log and changing its path to a .php file in the web root, an attacker can execute code by simply running a SQL query containing PHP tags. Local File Inclusion (LFI) to RCE Local File Inclusion (LFI) to RCE