Securin Zero-Days

CVE-2020-5504 – SQL Injection with Missing Functional Level Access in phpMyAdmin




Affected Product

phpMyAdmin 4.x versions prior to 4.9.4 are affected, phpMyAdmin 5.x version 5.0.0



Securin ID





December 12, 2019


A SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server. Missing functional level access flaws allow attackers to access unauthorized functionality. SQL injection (SQLi) vulnerability was identified with the conjunction of missing function level access in the latest version of the phpMyAdmin database. The vulnerability affects http://localhost/phpmyadmin/server_privileges.php, username.

Proof of Concept (POC):

The following vulnerability was tested on phpMyAdmin version 5.0.

Issue: SQL Injection with missing functional level access:

1. Log in to the phpMyAdmin GUI

2. Installed PhpMyAdmin (Version 5.0)

Figure 01: phpMyAdmin Installed Version 5.0.0

Figure 02: List of user accounts and privileges in the database.

Figure 03: Test user doesn’t have global privileges just for information.

Figure 04: “Test” user has all privilege to test the database only.

Figure 05: Log in to phpMyAdmin with “test” user credentials.

 Now, enable an http-based proxy on the browser to intercept the traffic to the server.

Figure 06: “Test” users don’t have enough privilege to view users and other databases.

Figure 07: The intercepted ajax call in the proxy is related to the user accounts page.

Figure 08: JavaScript file which related to server_privileges.php page Ajax calls.

Figure 09: JavaScript code, which is responsible for checking the existence of the username in the database.