CVE-2006-4489

MiniBill < 1.2.2 - Remote File Inclusion via config[include_dir] or config[plugin_dir]

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4489. PoCs published by the master.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in MiniBill v1.22 Beta. The vulnerability allows an attacker to include arbitrary remote files via the 'config[plugin_dir]' parameter in 'ipn.php' and 'initPlugins.php'.

Description

Multiple PHP remote file inclusion vulnerabilities in MiniBill 2006-07-14 (1.2.2) allow remote attackers to execute arbitrary PHP code via (1) a URL in the config[include_dir] parameter in actions/ipn.php or (2) an FTP path in the config[plugin_dir] parameter in include/initPlugins.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by the master · textwebappsphp

https://www.exploit-db.com/exploits/2272

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in MiniBill v1.22 Beta. The vulnerability allows an attacker to include arbitrary remote files via the 'config[plugin_dir]' parameter in 'ipn.php' and 'initPlugins.php'.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: MiniBill v1.22 Beta

No auth needed

Prerequisites: Remote file hosting with malicious payload · Network access to the target

MITRE ATT&CK