CVE-2006-0644

CPG-Nuke Dragonfly CMS 9.0.6.1 - Directory Traversal and Arbitrary File Execution via newlang and installlang Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-0644. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets a local file inclusion vulnerability in CPGNuke Dragonfly 9.0.6.1 via the 'install.php' script, allowing remote command execution through arbitrary file inclusion. It leverages either the 'cpg_error.log' or uploaded malicious files to inject and execute PHP code.

Description

Multiple directory traversal vulnerabilities in install.php in CPG-Nuke Dragonfly CMS (aka CPG Dragonfly CMS) 9.0.6.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in (1) the newlang parameter and (2) the installlang parameter in a cookie, as demonstrated by using error.php to insert malicious code into a log file, or uploading a malicious .png file, which is then included using install.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/1478

View Code ZIP pw:eip

This exploit targets a local file inclusion vulnerability in CPGNuke Dragonfly 9.0.6.1 via the 'install.php' script, allowing remote command execution through arbitrary file inclusion. It leverages either the 'cpg_error.log' or uploaded malicious files to inject and execute PHP code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CPGNuke Dragonfly 9.0.6.1

No auth needed

Prerequisites: Access to the target's 'install.php' script · Ability to write to 'cpg_error.log' or upload malicious files

MITRE ATT&CK