So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.
Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and working! In fact it should be trivial to exploit this in any currently running XAMPP server with an LFI vulnerability!
So before we start I’d like to point out that I found this out by simply copying the remote host’s installed programs on a VM of my own. This way I can get a good picture of what their server setup is and can more effectively exploit them. If you’re completely new to LFI exploitation in general here are some nifty tutorials/guides for you to read: