Hacking XAMPP Web Servers Via Local File Inclusion (LFI)

So recently I was attempting to hack a friend’s server (with permission!) via a local file inclusion vulnerability and I discovered that nobody had any tutorials on hacking XAMPP servers via LFI.

Basically it’s pretty straightforward if they have FileZilla FTP Server enabled and working! In fact it should be trivial to exploit this in any currently running XAMPP server with an LFI vulnerability!

So before we start I’d like to point out that I found this out by simply copying the remote host’s installed programs on a VM of my own. This way I can get a good picture of what their server setup is and can more effectively exploit them. If you’re completely new to LFI exploitation in general here are some nifty tutorials/guides for you to read:

[http://www.blackhatlibrary.net/File_Inclusion

](http://www.blackhatlibrary.net/File_Inclusion) http://hakipedia.com/index.php/Local_File_Inclusion

It’s also worth mention that this type of LFI vector is not in the stock https://code.google.com/p/fimap/ tool’s libraries, so I don’t think this has been done much and that surprises me quite a bit! (Seems so simple!)

On too the meat of this post…

In order to demonstrate this attack I’ve prepared a Windows VM with XAMPP installed on it and configured FileZilla to have a usable Administrator account.

For the vulnerable application I simply search for “local file inclusion” on Exploit-DB. What’s nice about their website is that they host the actual vulnerable applications along with the exploits so that you can practice/verify an exploit for yourself!

I chose this result to be our target: http://www.exploit-db.com/exploits/21418/

Here’s a mirror from Google’s cache as Exploit-DB’s servers are often really slow: http://webcache.googleusercontent.com/search?q=cache:Z1tANS9wxQAJ:www.exploit-db.com/exploits/21418/+&cd=1&hl=en&ct=clnk&gl=us

Semi-ironically this software called “Manhali” is educational software for teaching, I suppose we’ll all learn something from this then!

As a reminder: The software that we’re using doesn’t matter here, the only thing that matters is that it has an exploitable LFI vulnerability that we can use.

exploitdb_exploit_picture

Note the “Vulnerable App” section where you can download this software to test for yourself!

 

Here is what the main website looks like once installed:

Something about this site just seems so...exploitable? Maybe it's the design, but that's besides the point!

Something about this site just seems so…exploitable…

 

Now what’s nice about XAMPP is it comes stocked with your favorite programs for web server management, how convenient! Even cute icons for your control panel, who wouldn’t love this?

xamppcontrolpanel

Moving on, if you have XAMPP installed you can see that the default directory that it’s installed in is “C:\xampp“. This is what the installer will put by default on all XAMPP installs.

You’ll also notice that FileZilla is located at “C:\xampp\FileZillaFTP“, and if you look in that directory you’ll notice that there is a configuration file for FileZilla called “FileZilla Server.xml“.

At this point I hope you know where I’m going with this but either way our next step is simply exploiting this LFI to read this configuration file for FileZilla!

It’ll look something like this:

manhali_url_with_website

Yes I do have more addons than most sane people

Now let’s do this! (A reminder that you may need to append a null byte (%00) to get things working) Also this software simply forces you to download the file so it won’t be embedded in the webpage like most inclusion vulnerabilities.

A download? For me?! You shouldn't have!

A download? For me?! You shouldn’t have!

What’s in this neat file you ask?

Settings, configurations, and more important MD5 hashed passwords for all the FTP accounts!

gedit_filezilla config

As you can see, near the <User Name=”Administrator”> we have a hash value. This is just a simple MD5 hash of the password for the Administrator’s FTP account! So you’ll have file system access in no time! You should also note that the options for “FileRead”, “FileWrite”, and “FileDelete” are all set to “1” (meaning true) so this user can do these actions.

One final step before we finish up here though, we need to crack the MD5 hash to get the plaintext password for logging in to the FTP server.

Before loading up any cracking programs – I find it’s easier to check a few online websites that offer MD5 “decrypting” for you. This basically means they have a large database of cleartext -> hash lists and they check if your hash is in their database. This worked in our test case but if you find a strong password is being used then you should use something like Rainbow Tables to crack them. (Check out this site if you’re going that route: https://www.freerainbowtables.com/tables/)

A simple submission to an MD5 “decrypting” website yielded us the password that we needed!

md5_decryptor

Somewhat ironically the password was “secure” the whole time! Use this along with the username “Administrator” to log in via FTP and start editing files as you wish! Keep in mind this might not always be the web root and you may have to mess around in order to find the URL path to the FTP directory. Perhaps some accounts aren’t for web editing etc, but simply look for any account that you can upload a web viewable file too. If done successfully you should be able to upload a shell/payload/etc to the server!

While their are some requirements to this method I’d imagine that this would be a very common setup for XAMPP users. You should also note that their are many other useful files in the XAMPP folder that you could read and use to your advantage. I would always recommend setting up a test environment on an offline system before preforming the actually attack so you’re prepared and don’t cause unnecessary noise on your target system!

As always thanks for reading and happy hacking!

-mandat0ry

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.