CVE-2006-6780

hlstats 1.20-1.34 - SQL Injection via Login Form killLimit Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-6780. PoCs published by Michael Brooks.

AI-analyzed exploit summary This PHP script exploits a SQL injection vulnerability in HLStats versions 1.20 to 1.34, allowing attackers to extract database credentials, read arbitrary files, and potentially upload malicious payloads. It includes a web interface for configuring attacks and supports proxy usage for anonymity.

Description

SQL injection vulnerability in the login form in HLstats 1.20 through 1.34 allows remote attackers to execute arbitrary SQL commands via the killLimit parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Michael Brooks · phpwebappsphp

https://www.exploit-db.com/exploits/3002

View Code ZIP pw:eip

This PHP script exploits a SQL injection vulnerability in HLStats versions 1.20 to 1.34, allowing attackers to extract database credentials, read arbitrary files, and potentially upload malicious payloads. It includes a web interface for configuring attacks and supports proxy usage for anonymity.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: HLStats <= 1.34 and >= 1.20

No auth needed

Prerequisites: Target URL with HLStats installation · Network access to the target

MITRE ATT&CK