漏洞平台

POC详情： 733f8b32111355aa6a349d2a2f89bc7625bcf368

来源

https://github.com/0xs4h4/CVE-2025-28009

关联漏洞

标题： Belanjawan Dietiqa 安全漏洞 (CVE-2025-28009)
描述：Belanjawan Dietiqa是Belanjawan公司的一个手机减肥应用程序。 Belanjawan Dietiqa 1.0.20版本存在安全漏洞，该漏洞源于progress-body-weight.php端点中参数u处理不当，可能导致SQL注入。

描述

SQL Injection in Dietiqa App v1.0.20 (CVE-2025-28009) – Unauthenticated remote data access via vulnerable parameter.

介绍

# CVE-2025-28009 - SQL Injection in Dietiqa App v1.0.20
 
> **Discovered by:** Saharuddin Azman  
> **Vendor:** Appventure Sdn Bhd  
> **Product:** Dietiqa App  
> **Version Affected:** v1.0.20  
> **CVE ID:** CVE-2025-28009  
> **Vulnerability Type:** SQL Injection  
 
## 📝 Description
 
A SQL Injection vulnerability exists in the `u` parameter of the `progress-body-weight.php` endpoint in Dietiqa App v1.0.20. An attacker can manipulate this parameter to inject arbitrary SQL queries into the backend database.
This flaw can be exploited remotely without authentication, posing a serious risk to user data confidentiality and application integrity.
 
## 🧪 Technical Summary
 
- **Vulnerable endpoint:** `progress-body-weight.php`
- **Vulnerable parameter:** `u`
- **Issue:** Unsanitized input allows SQL query injection
- **Risk level:** High – attackers may access or modify sensitive user data
 
Detailed proof of concept (PoC) has been withheld for ethical and security considerations.
 
## ✅ Vendor Status
 
The vendor, Appventure Sdn Bhd, has acknowledged the vulnerability. A fix is expected in a future release. As of now, version 1.0.20 remains vulnerable.
 
## 🔗 References
 
- [CVE Record](https://cve.org/CVERecord?id=CVE-2025-28009)
- [Vendor Website](http://dietiqa.com)
- [Appventure Sdn Bhd](http://appventure.com)
 
## ⚠️ Disclosure Ethics
 
This issue was disclosed responsibly. The vendor was notified and given time to respond. This repository omits weaponized details and PoC in alignment with responsible disclosure best practices.
 
## 📄 Disclaimer
 
This repository is intended for **educational and research purposes only**.  
Do not attempt to exploit vulnerabilities on systems you do not own or have permission to test.  
The author is not responsible for any misuse of this information.

文件快照


 [4.0K]  /data/pocs/733f8b32111355aa6a349d2a2f89bc7625bcf368
└── [1.8K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。