CVE-2025-29529 PoC — ITC Systems Multiplan/Matrix OneCard platform 安全漏洞

Source

Associated Vulnerability

Description

SQLi ITC Multiplan v3.7.4.1002 (CVE-2025-29529)

Readme

# SQLi ITC Multiplan (CVE-2025-29529)
## Discovery
On February 21, 2025, an SQL injection vulnerability was identified in the “Multiplan” platform developed by ITC Systems during a client engagement.

## Affected Versions 
This vulnerability has been only been tested on v3.7.4.1002
![screenshot](/version.png)

## Attack Vector
The "ctl00%24cpLogin%24ctlForgotPassword%24txtEmail" POST parameter used by the "ForgotPassword.aspx" endpoint was found to be not sanitized. An unauthenticated threat actor may 
leverage this vulnerability to read the applications backend database. 
![screenshot](/Attack_Vector.png)
## POC
As a Proof-of-Concept (PoC), database information such as tables and columns were collected. 
![screenshot](/POC.png)
![screenshot](/POC2.png)
## Vulnerability Check
Copy and paste a BurpSuite POST request from the /ForgotPassword.aspx endpoint to a text file. 
* Leverage sqlmap (sqlmap -r burprequest.txt -p ctl00%24cpLogin%24ctlForgotPassword%24txtEmail)
## Remediation
Update platform to ITC's current offering by contacting ITC Sales to discuss upgrade path to netZcore on-premise or netZcore Avro, ITC's advanced OneCard Cloud service.
## References
https://itcsystems.com/end-of-service-life-eosl-notice-multiplan-matrix-onecard-platform/

File Snapshot

 [4.0K]  /data/pocs/85129f7e9c0454f161215bef923b64625a4b5080
├── [ 56K]  Attack_Vector.png
├── [125K]  POC2.png
├── [108K]  POC.png
├── [1.2K]  README.md
└── [265K]  version.png

0 directories, 5 files

Remarks