CVE-2007-0205

@lex Guestbook 4.0.2 - Path Traversal via admin/skins.php Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-0205. PoCs published by DarkFig.

AI-analyzed exploit summary This exploit targets @lex Guestbook <= 4.0.2, leveraging SQL injection to extract admin credentials, then using directory traversal to write a malicious PHP skin file for remote command execution.

Description

Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DarkFig · phpwebappsphp

https://www.exploit-db.com/exploits/3103

View Code ZIP pw:eip

This exploit targets @lex Guestbook <= 4.0.2, leveraging SQL injection to extract admin credentials, then using directory traversal to write a malicious PHP skin file for remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: @lex Guestbook <= 4.0.2

No auth needed

Prerequisites: Target must be running @lex Guestbook <= 4.0.2 · PHP must be installed on the target server

MITRE ATT&CK