CVE-2008-5663

Kusaba < 1.0.4 - Authenticated Arbitrary File Upload via load_receiver.php or paint_save.php

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-5663. PoCs published by Sausage.

AI-analyzed exploit summary This exploit targets Kusaba <= 1.0.4 by uploading a malicious PHP file via the load_receiver.php script. The payload is a base64-encoded PHP backdoor that allows remote code execution if the attacker can access the uploaded file.

Description

Multiple unrestricted file upload vulnerabilities in Kusaba 1.0.4 and earlier allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension using (1) load_receiver.php or (2) a shipainter action to paint_save.php, then accessing the uploaded file via a direct request to this file in their user directory.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Sausage · htmlwebappsphp

https://www.exploit-db.com/exploits/6711

View Code ZIP pw:eip

This exploit targets Kusaba <= 1.0.4 by uploading a malicious PHP file via the load_receiver.php script. The payload is a base64-encoded PHP backdoor that allows remote code execution if the attacker can access the uploaded file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Kusaba <= 1.0.4

Auth required

Prerequisites: Access to load_receiver.php · Knowledge of the admin password (default: 'changeme')

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Sausage · phpwebappsphp

https://www.exploit-db.com/exploits/6706

View Code ZIP pw:eip

This exploit targets Kusaba <= 1.0.4 by uploading a malicious PHP shell disguised as an image file. It leverages a file upload vulnerability in the paint_save.php endpoint to achieve remote code execution.