CVE-2013-10033

CRITICAL

Kimai 0.9.2.x - Unauthenticated SQL Injection via db_restore.php dates[] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-10033. PoCs published by Metasploit, drone, drone, bcoles, including Metasploit module exploits/unix/webapp/kimai_sqli.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in Kimai v0.9.2.x via the 'db_restore.php' file, allowing unauthenticated users to write a PHP payload to disk and achieve remote code execution.

Description

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/30010

This Metasploit module exploits a SQL injection vulnerability in Kimai v0.9.2.x via the 'db_restore.php' file, allowing unauthenticated users to write a PHP payload to disk and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Kimai v0.9.2.x
No auth needed
Prerequisites: PHP 'display_errors' enabled · MySQL database running on localhost · MySQL user with write permissions to the Kimai 'temporary' directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by drone · pythonwebappsphp
https://www.exploit-db.com/exploits/25606

This exploit targets a SQL injection vulnerability in Kimai 0.9.2.1306-3, allowing unauthenticated attackers to dump sensitive data or drop a web shell via UNION-based SQLi and INTO OUTFILE.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Kimai 0.9.2.1306-3
No auth needed
Prerequisites: Network access to the target · Kimai installation with vulnerable db_restore.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by drone, bcoles · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/kimai_sqli.rb

This Metasploit module exploits a SQL injection vulnerability in Kimai v0.9.2.x via the 'db_restore.php' file, allowing unauthenticated users to write a PHP payload to disk and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Kimai v0.9.2.x
No auth needed
Prerequisites: PHP 'display_errors' enabled · MySQL database on localhost · MySQL user with write permissions to Kimai's temporary directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v4 9.3
EPSS 0.0121
EPSS Percentile 64.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
Kimai Project/Kimai 0.9.2.0
Kimai Project/Kimai 0.9.2.x
Published Jul 31, 2025
Tracked Since Feb 18, 2026