以下是简洁的Markdown格式返回从该网页截图中获取到的关键漏洞信息: --- Zira WBRM SQL Injection - CVE-2025-56401 CVE ID: CVE-2025-56401 Date Discovered: 2025-07-25 --- Introduction In a penetration test, a SQL Injection vulnerability was found in the Zira WBRM 7.0 web application. It's a zero-day vulnerability and has been given a CVE. --- What is SQL Injection? An attacker can modify an application's SQL queries by inserting crafted input often leading to data theft or corruption. --- Discovery & Initial Lead A penetration test revealed suspicious behavior in the functionality suggesting that and parameters were concatenated into SQL queries directly. --- Technical Details Vulnerable Endpoint: Vulnerable SQL Code Snippet: and were neither validated nor parameterized. --- Impact Analysis CVSS 3.1 Base Score: 7.6 (High) Attack Vector: Remote Successful exploitation could allow an attacker to: - Dump sensitive data like usernames and password hashes. - Modify or delete database records. - Potentially escalate privileges depending on the DB and user's permissions. --- Sample PoC --- Exploitation & Mitigation Successful proof-of-concept exploited to execute the query. Mitigation suggestions: - Use prepared statements or parameterized queries for the application. - Sanitize and validate all user input. - Apply the principle of least privilege on database accounts. --- Responsible Disclosure Timeline