CVE-2007-2167

aimstats 3.2 - Remote Code Execution via Number Parameter in Update Action

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2167. PoCs published by Dj7xpl.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in AimStats v3.2 by manipulating the 'number' parameter in a POST request to execute arbitrary commands via the 'passthru' function. The PoC provides a form to submit the payload and retrieve command output via a GET parameter.

Description

Static code injection vulnerability in process.php in AimStats 3.2 allows remote attackers to inject PHP code into config.php via the number parameter in an update action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dj7xpl · htmlwebappsphp

https://www.exploit-db.com/exploits/3762

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in AimStats v3.2 by manipulating the 'number' parameter in a POST request to execute arbitrary commands via the 'passthru' function. The PoC provides a form to submit the payload and retrieve command output via a GET parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: AimStats v3.2

No auth needed

Prerequisites: Target must have AimStats v3.2 installed · The 'process.php' endpoint must be accessible

MITRE ATT&CK