CVE-2006-2005

ClanSys 1.1 - Remote Code Execution via Page Parameter Eval Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-2005. PoCs published by nukedx.

AI-analyzed exploit summary This exploit demonstrates a PHP code insertion vulnerability in ClanSys v1.1 via the 'page' parameter in index.php. The attacker can include arbitrary PHP code, leading to remote code execution (RCE).

Description

Eval injection vulnerability in index.php in ClanSys 1.1 allows remote attackers to execute arbitrary PHP code via PHP code in the page parameter, as demonstrated by using an "include" statement that is injected into the eval statement. NOTE: this issue has been described as file inclusion by some sources, but that is just one attack; the primary vulnerability is eval injection.

Exploits (1)

exploitdb WORKING POC VERIFIED

by nukedx · textwebappsphp

https://www.exploit-db.com/exploits/1710

View Code ZIP pw:eip

This exploit demonstrates a PHP code insertion vulnerability in ClanSys v1.1 via the 'page' parameter in index.php. The attacker can include arbitrary PHP code, leading to remote code execution (RCE).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ClanSys v1.1

No auth needed

Prerequisites: Access to the target web application · Ability to craft a malicious URL

MITRE ATT&CK