Some projects out there like XAMPP,defaults after installing to settings that leave the server open for attacks. Specifically phpmyadmin.

When XAMPP installs mysql, it creates a root account with no password. And sets up phpmyadmin to access the mysql server through the root user, which does not need a password. When such access is available, the attacker can easily get into mysql and through it create a file that will give the attacker full shell access.

I’ve tried it myself and it works.

This is not a vulnerability or weaknesses on software, but through the ignorant use of software by users out there who have no idea what they are working on.

XAMPP is a great project. The exploit is not tied to that project. It was provided as an example.