CVE-2006-1551
published 2006-04-13CVE-2006-1551: Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to execute arbitrary code via the (1) $method and…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
36.13%
98.3th percentile
Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX 0.5.1 and earlier allows remote attackers to execute arbitrary code via the (1) $method and (2) $args parameters.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| georges_auberger | pajax | — | — |
| georges_auberger | pajax | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /pajax/pajax/pajax_call_dispatcher.php with Content-Type: text/x-json and method field containing injected PHP payload↗
other{ "id": "bb2238f1186dad8d6370d2bab5f290f71", "className": "<MOD>", "method": "add(1,1);<PAYLOAD>;$obj->add", "params": ["1", "5"] }↗
- →Alert on POST requests to pajax_call_dispatcher.php where the JSON body 'method' parameter contains characters indicative of PHP eval injection (semicolons, PHP function calls, concatenated statements). ↗
- →Detect attempts to include arbitrary files ending in '.class.php' via PAJAX request parameters, as the vulnerability also enables local file inclusion of that pattern. ↗
- →Look for the static JSON 'id' value 'bb2238f1186dad8d6370d2bab5f290f71' in POST bodies to pajax_call_dispatcher.php — this is a hardcoded Metasploit exploit artifact. ↗
- ·The default Metasploit URI path '/pajax/pajax/pajax_call_dispatcher.php' may vary in real deployments; defenders should also monitor any path ending in 'pajax_call_dispatcher.php'. ↗
- ·The default PAJAX module name used in the exploit is 'Calculator', but the MOD option is configurable by the attacker, so className in the JSON body should not be relied upon as a sole detection indicator. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PAJAX - Remote Command Execution (Metasploit)
exploitdb·2010-04-30
CVE-2006-1551 PAJAX - Remote Command Execution (Metasploit)
PAJAX - Remote Command Execution (Metasploit)
---
##
# $Id: pajax_remote_exec.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PAJAX Remote Command Execution',
'Description' => %q{
RedTeam has identified two security flaws in PAJAX ( [ 'Matteo Cantoni ', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
['CVE', '2006-1551'],
['OSVDB', '24618'],
['BID', '17519'],
['URL', 'http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php'],
],
'Privileged' => false,
'Payloa
Metasploit
PAJAX Remote Command Execution
metasploit
PAJAX Remote Command Execution
PAJAX Remote Command Execution
RedTeam has identified two security flaws in PAJAX (<= 0.5.1). It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in ".class.php".
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0270.htmlhttp://secunia.com/advisories/19653http://www.osvdb.org/24618http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.phphttp://www.securityfocus.com/archive/1/431029/100/0/threadedhttp://www.securityfocus.com/bid/17519http://www.vupen.com/english/advisories/2006/1353https://exchange.xforce.ibmcloud.com/vulnerabilities/25859http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0270.htmlhttp://secunia.com/advisories/19653http://www.osvdb.org/24618http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.phphttp://www.securityfocus.com/archive/1/431029/100/0/threadedhttp://www.securityfocus.com/bid/17519http://www.vupen.com/english/advisories/2006/1353https://exchange.xforce.ibmcloud.com/vulnerabilities/25859
2006-04-13
Published