If the database user has FILE privilege, you can write a webshell.
, and leveraging authenticated Remote Code Execution (RCE) vulnerabilities such as CVE-2018-12613, which allows Local File Inclusion (LFI) to RCE. Effective mitigation requires regular updates to version 4.8.2 or later, strict network access controls, and restricting the MySQL phpmyadmin hacktricks verified
Use the LFI to include /var/lib/php/sessions/sess_[YOUR_ID] . C. CVE-2016-5734 (RCE via Preg_Replace) If the database user has FILE privilege, you
auxiliary/scanner/http/phpmyadmin_login (still reliable) you can write a webshell.