CVE-2006-1747

Exploitation Summary

EIP tracks 7 public exploits for CVE-2006-1747. PoCs published by AG-Spider.

AI-analyzed exploit summary The provided text describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized user input allows arbitrary PHP code execution via the 'vwar_root' parameter. The example URL demonstrates how an attacker could exploit this to execute system commands.

Description

PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter to (1) admin/admin.php, (2) war.php, (3) stats.php, (4) news.php, (5) joinus.php, (6) challenge.php, (7) calendar.php, (8) member.php, (9) popup.php, and other unspecified scripts in the admin folder. NOTE: these are different attack vectors than CVE-2006-1636 and CVE-2006-1503.

Exploits (7)

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28350

View Code ZIP pw:eip

The provided text describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized user input allows arbitrary PHP code execution via the 'vwar_root' parameter. The example URL demonstrates how an attacker could exploit this to execute system commands.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Network access to the target application · PHP remote file inclusion enabled on the server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28356

View Code ZIP pw:eip

The provided text describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized user input in the 'vwar_root' parameter allows arbitrary PHP code execution. The example URL demonstrates how an attacker could exploit this to execute commands like 'ls'.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Access to the vulnerable 'stats.php' endpoint · Ability to craft a malicious URL with arbitrary PHP code

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28355

View Code ZIP pw:eip

The code describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized input in the 'vwar_root' parameter allows arbitrary PHP code execution. The example URL demonstrates how an attacker could exploit this to execute system commands.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Remote file inclusion must be enabled on the server · Attacker must be able to reach the target URL

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28351

View Code ZIP pw:eip

The provided text describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized input in the 'vwar_root' parameter allows arbitrary PHP code execution. The example URL demonstrates how an attacker could exploit this to execute system commands.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Remote file inclusion must be enabled on the server · Attacker must be able to host a malicious PHP file

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28354

View Code ZIP pw:eip

The provided text describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized input in the 'vwar_root' parameter allows arbitrary remote file inclusion and execution of malicious PHP code. The example URL demonstrates how an attacker could exploit this to execute commands.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Remote file inclusion must be enabled on the server · Attacker must be able to host a malicious PHP file on a remote server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28353

View Code ZIP pw:eip

The code describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized input in the 'vwar_root' parameter allows arbitrary PHP code execution. The example URL demonstrates how an attacker could exploit this to execute commands like 'ls'.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Remote file inclusion must be enabled on the server · Attacker must be able to reach the target URL

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by AG-Spider · textwebappsphp

https://www.exploit-db.com/exploits/28352

View Code ZIP pw:eip

The code describes a remote file inclusion vulnerability in VWar 1.5, where unsanitized input in the 'vwar_root' parameter allows arbitrary PHP code execution. The example URL demonstrates how an attacker could exploit this to execute system commands.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Trivial

Reliability

Theoretical

Target: VWar 1.5

No auth needed

Prerequisites: Access to the vulnerable application · Ability to host malicious PHP code on a remote server

MITRE ATT&CK