CVE-2006-3580

asp_stats_generator < 2.1.1 - SQL Injection via order Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-3580. PoCs published by Hamid Ebadi.

AI-analyzed exploit summary The exploit demonstrates SQL injection and ASP code injection vulnerabilities in ASP Stats Generator. It includes functional payloads for both SQLi (via union-based injection) and arbitrary file upload (via unsanitized input in settings_skin.asp).

Description

SQL injection vulnerability in pages.asp in ASP Stats Generator before 2.1.2 allows remote attackers to execute arbitrary SQL commands via the order parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Hamid Ebadi · textwebappsasp
https://www.exploit-db.com/exploits/1931

The exploit demonstrates SQL injection and ASP code injection vulnerabilities in ASP Stats Generator. It includes functional payloads for both SQLi (via union-based injection) and arbitrary file upload (via unsanitized input in settings_skin.asp).

Classification
Working Poc 95%
Attack Type
Sqli | Rce
Complexity
Trivial
Reliability
Reliable
Target: ASP Stats Generator 2.1.1 and below
No auth needed
Prerequisites: Access to the vulnerable ASP Stats Generator web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/1931
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20721
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27283
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18512
Exploit vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016336

Scores

EPSS 0.0122
EPSS Percentile 64.7%

Details

Status published
Products (1)
asp_stats_generator/asp_stats_generator < 2.1.1
Published Jul 13, 2006
Tracked Since Feb 18, 2026