If the database user has the FILE privilege and the absolute web path is known, an attacker can write a shell directly to the server's web root.
Versions 4.8.0 and 4.8.1 are famously vulnerable to an authenticated Local File Inclusion (LFI) flaw.
Block all INTO OUTFILE queries via SQL proxy firewall (e.g., ProxySQL or mod_security rule). phpmyadmin hacktricks
#phpmyadmin #infosec #redteam
What Hackers Know About Your phpMyAdmin (And How to Stop Them) If the database user has the FILE privilege
RCE vulnerabilities can occur in PhpMyAdmin if user input is not properly sanitized.
If you have gained access to PhpMyAdmin, you can escalate privileges. phpmyadmin hacktricks
– If you can control session data.