CVE-2006-0147

ADOdb for PHP < 4.70 - Remote Code Execution via tests/tmssql.php do Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-0147. PoCs published by rgod.

AI-analyzed exploit summary This exploit leverages a file inclusion vulnerability in Simplog <= 0.9.2 by injecting a remote URL via the 's' parameter, leading to remote command execution. The script sends a crafted HTTP request with the malicious payload embedded in cookies.

Description

Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/1663

View Code ZIP pw:eip

This exploit leverages a file inclusion vulnerability in Simplog <= 0.9.2 by injecting a remote URL via the 's' parameter, leading to remote command execution. The script sends a crafted HTTP request with the malicious payload embedded in cookies.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Simplog <= 0.9.2

No auth needed

Prerequisites: allow_url_fopen enabled on the target server · remote server hosting the malicious PHP code

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (30)

Core 30

Core References

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19590

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18267

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18254

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19555

Patch, Vendor Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2006/dsa-1029

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/24052

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19628

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/430448/100/0/threaded

Patch, Vendor Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2006/dsa-1030

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/1305

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18276

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19600

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/1663

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/0103

Exploit, Patch, Vendor Advisory x_refsource_misc

http://secunia.com/secunia_research/2005-64/advisory/

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/430743/100/0/threaded

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19591

Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17418

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/19691

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/0102

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/0101

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18233

Exploit x_refsource_misc

http://retrogod.altervista.org/simplog_092_incl_xpl.html

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/1332

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/22291

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2006/dsa-1031

Exploit x_refsource_misc

http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/0104

Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/18260

Patch, Vendor Advisory vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml

Scores

EPSS 0.1277

EPSS Percentile 95.8%

Details

Status published

Products (7)

john_lim/adodb 4.66

john_lim/adodb 4.68

mantis/mantis 0.19.4

mantis/mantis 1.0.0_rc4

moodle/moodle 1.5.3

postnuke_software_foundation/postnuke 0.761

the_cacti_group/cacti 0.8.6g

Published Jan 09, 2006

Tracked Since Feb 18, 2026