phpMyAdmin (AllowArbitraryServer) Arbitrary File Read Vulnerability

Many posts have pointed out that a malicious MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from MYSQL clients. According to this post (chinese), We can read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.

phpMyAdmin 4.8.4 with AllowArbitraryServer online environment:


Arbitrary file reading caused by LOAD DATA LOCAL is a long-standing problem, according to previous researches:

We know that this problem exists in the following situations:

  • MySQL Client
  • PHP + mysql/mysqli
  • Python + MySQLdb
  • Python3 + mysqlclient
  • Java + JDBC Driver
  • ...

PhpMyAdmin belongs to PHP + mysqli, so we can use this vulnerability to read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.



Let's use VulnSpy's online phpMyAdmin environment to demonstrate:

1. Click on the button START TO HACK in the upper right corner to create the online environments

After successful creation, two virtual environments will be automatically generated:

  • web: phpmyadmin service, our target
  • db: mysql service, hacker's server

2. Login to the terminal of hacker's server db

1). Click on the terminal icon of the control bar and select db

2). Click Connect to login

3). Execute cd /root/exp/

4). Edit, change PORT = 3306 to PORT = 3307

filelist is the files to read

5). Executepython to running the exploiting service

6). Open phpMyAdmin, input db:3307, vulnspy, vulnspy, and submit the form.

7). Go back to the terminal, open file mysql.log


All rights reserved. © 2022 VULNSPY