CVE-2014-5082

sphider < 1.3.6 - SQL Injection via site_id or url Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-5082. PoCs published by Mike Manzotti.

AI-analyzed exploit summary The exploit demonstrates SQL injection, PHP code injection (RCE), and XSS vulnerabilities in Sphider 1.3.6. It includes proof-of-concept payloads for each vulnerability type, with clear examples of malicious input and expected responses.

Description

Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Sphider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Mike Manzotti · textwebappsphp

https://www.exploit-db.com/exploits/34189

View Code ZIP pw:eip

The exploit demonstrates SQL injection, PHP code injection (RCE), and XSS vulnerabilities in Sphider 1.3.6. It includes proof-of-concept payloads for each vulnerability type, with clear examples of malicious input and expected responses.

Classification

Working Poc 95%

Attack Type

Sqli | Rce | Xss

Complexity

Trivial

Reliability

Reliable

Target: Sphider 1.3.6

Auth required

Prerequisites: Authenticated access to the Sphider admin panel · Write permissions on conf.php for RCE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/34238

View Code ZIP pw:eip

This is a detailed technical analysis of multiple vulnerabilities in Sphider Search Engine, including authentication bypass, SQL injection, and remote code execution. It provides proof-of-concept examples and explains the root causes, such as lack of input sanitization and insecure file writing practices.

Classification

Writeup 90%

Attack Type

Rce | Sqli | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Sphider < 1.3.6, Sphider Pro/Plus < 3.2

No auth needed

Prerequisites: Network access to the target application · Default or bypassed credentials for RCE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1105 - Ingress Tool Transfer

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/127720/Sphider-Search-Engine-Command-Execution-SQL-Injection.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/34189

Scores

EPSS 0.0210

EPSS Percentile 79.3%

Details

CWE

CWE-89

Status published

Products (5)

sphider/sphider 1.3.2

sphider/sphider 1.3.3

sphider/sphider 1.3.4 (2 CPE variants)

sphider/sphider 1.3.5

sphider/sphider < 1.3.6

Published Aug 06, 2014

Tracked Since Feb 18, 2026