phpMyAdmin is the world’s most popular MySQL/MariaDB administration tool. While it is a godsend for database administrators, it is a prime target for penetration testers. Misconfigurations, default installations, weak credentials, and outdated versions often turn it into the "golden key" that leads to Remote Code Execution (RCE), privilege escalation, and full server compromise.
Some installations forget to remove /setup. Check:
/phpmyadmin/setup/
If accessible, you can configure the server, which may lead to RCE (more in Part 3). phpmyadmin hacktricks
If you’re hardening phpMyAdmin:
Example:
/phpmyadmin//pma//mysql//db//admin/mysql//phpMyAdmin-4.8.0/ (version-specific paths)