来源

关联漏洞

描述

Public Disclosure

介绍

# 🛡️ CVE Disclosure: CVE-2025-26198 — SQL Injection in CloudClassroom-PHP-Project

**Disclosure Date:** 18 June 2025  
**CVE ID:** CVE-2025-26198  
**Severity:** CRITICAL (CVSS 9.8)

---

## 🧩 Summary

A critical SQL Injection vulnerability exists in `CloudClassroom-PHP-Project v1.0`, specifically within the `loginlinkadmin.php` endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full administrative access.

This issue has been assigned the identifier **CVE-2025-26198**. At the time of public disclosure, **no official patch** was available.

---

## 📦 Affected Product

- **Vendor:** Independent (mathurvishal)
- **Project:** [CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
- **Version:** v1.0
- **File:** `loginlinkadmin.php`
- **Vulnerable Endpoint:**  
  `http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php`

---

## 🔬 Vulnerability Details

The admin login mechanism uses unsanitized input directly in SQL queries without any input validation or prepared statements:

```php
$query = "SELECT * FROM admin WHERE username='$username' AND password='$password'";
```

This allows for injection payloads such as:

```sql
Username: ' OR '1'='1
Password: [any value]
```

This bypasses authentication logic by evaluating to a true condition, thereby granting access to the admin dashboard.

---

## 📌 CWE Classification

| CWE ID | Title                                                                 |
|--------|-----------------------------------------------------------------------|
| [CWE-89](https://cwe.mitre.org/data/definitions/89.html) | Improper Neutralization of Special Elements used in an SQL Command |

---

## 📊 CVSS v3.1 Score

| Score | Severity | Vector String                              |
|-------|----------|---------------------------------------------|
| 9.8   | CRITICAL | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |

---

## 💥 Impact

A successful exploitation could result in:

- ✅ Full **authentication bypass**
- 🔓 **Unauthorized access** to privileged admin features
- 🛠️ Potential **data leakage or manipulation** using `UNION`-based SQL injection
- ⚠️ Full **compromise of the backend database**

---

## 🧪 Proof of Concept (PoC)

### 1. Clone the Repository

```bash
git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git
```

### 2. Host Locally

Use XAMPP/LAMP to deploy the project and navigate to:

```
http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php
```

### 3. Payload Injection

Enter the following credentials in the login form:

- **Username:** `' OR '1'='1`
- **Password:** `[any value]`

You will be logged in as the first admin user, verifying successful SQL injection.

---

## 🔐 Recommendations

- ✅ Replace dynamic SQL queries with **prepared statements** (`mysqli_prepare()` or **PDO**).
- 🔍 Perform **input validation and sanitization** for all user inputs.
- 🧱 Deploy a **Web Application Firewall (WAF)** to block known SQL injection patterns.
- 🛡️ Conduct **regular code audits** and **penetration testing** for early detection.

---

## 📆 Timeline

| Event                    | Date           |
|--------------------------|----------------|
| Vulnerability Discovered | 14 April 2025  |
| Public Disclosure        | 18 June 2025   |
| Patch Available          | ❌ Not available as of disclosure |

---

## 🙋‍♂️ Credits

This vulnerability was discovered and responsibly disclosed by:

**Tansique Dasari**  
🔗 [GitHub](https://github.com/phantomtrace)  
✉️ [tansique.d@gmail.com](mailto:tansique.d@gmail.com)

---

## 🔗 References

- [OWASP - SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
- [PortSwigger - SQL Injection](https://portswigger.net/web-security/sql-injection)
- [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
- [CVE-2025-26198 on CVE.org](https://cve.org/CVERecord?id=CVE-2025-26198)

---

> 💬 *This advisory is published independently due to lack of vendor response.*

文件快照

 [4.0K]  /data/pocs/688fd24aeaf6522ddae0b2c40667fcc0559833e7
└── [4.1K]  README.md

0 directories, 1 file

备注