Share
## https://sploitus.com/exploit?id=PACKETSTORM:218758
# CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups[] Parameter
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-65950](https://nvd.nist.gov/vuln/detail/CVE-2025-65950) |
    | **Severity** | CRITICAL |
    | **Advisory** | [View Advisory](https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **WBCE/WBCE_CMS**
    
    
    
    ## Details
    
    ### Summary
    
    A critical SQL Injection vulnerability in the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls.
    
    ### Details
    
    The vulnerability exists in the `admin/users/save.php` script, which handles updates to user profiles. The script improperly processes the `groups[]` parameter sent from the user edit form.
    
    ### PoC
    
    The proof of concept involves using a time-based blind SQL injection to confirm arbitrary SQL execution.
    
    1.  **Prerequisites:**
        *   An authenticated user account belonging to a group with "Users - Modify" (`users_modify`) permissions. This user **does not** need to be a full administrator.
        
    <img width="823" height="941" alt="image" src="https://github.com/user-attachments/assets/8b2085a6-df19-4d36-abf0-6c50466d462d" />
    
    
    2.  **Reproduction Steps:**
    
        a. Log in as the low-privileged user.
        b. Navigate to "Access" -> "Users" and select any user for modification.
        
    <img width="1402" height="660" alt="image" src="https://github.com/user-attachments/assets/66ed918a-f47b-4ba4-bd44-340fcad5ad41" />
    <img width="1434" height="702" alt="image" src="https://github.com/user-attachments/assets/24f3a85d-28a9-4c85-a3eb-5e1cf3a5ec3d" />
        c. Capture the POST request sent to /wbce/admin/users/save.php when the "Save" button is clicked.
    <img width="1073" height="731" alt="image" src="https://github.com/user-attachments/assets/bc88cf5d-c8ea-43ad-8197-36239f727b58" />
    
        d. Edit `groups[]` parameter with the following URL-encoded payload, which will attempt to make the database wait for 10 seconds: groups%5B%5D=2%27+%2C+%60active%60+%3D+SLEEP(10)+--+
    
        *(Decoded payload: 2' , `active` = SLEEP(10) -- )*
    
        f. Send the modified request.
    
    3.  **Verification:**
      
    <img width="1909" height="801" alt="image" src="https://github.com/user-attachments/assets/de9457e0-793b-4551-b59d-fe9341fce47c" />
    
    **Data Exfiltration Example: Retrieving the Database Name**
    
        **Example Payload to Test a Character:**
       
    `groups%5B%5D=2%27+%2C+%60active%60+%3D+IF(SUBSTRING(DATABASE()%2C+1%2C+1)+%3D+%27w%27%2C+SLEEP(5)%2C+0)+--+`
    
        This manual process can be continued to reveal the full database name and, subsequently, any other data in the database.
    
    <img width="957" height="583" alt="image" src="https://github.com/user-attachments/assets/c1bacf39-d871-4004-ab6d-5d404901ff28" />
    
    <img width="1910" height="801" alt="image" src="https://github.com/user-attachments/assets/3be4ab9d-75ce-4cbf-bc68-9ebbc5f92116" />
    
    
    ### Impact
    
    A low-privileged user, who should only be able to make benign changes to user profiles, can gain full control over the database.
    
    The impact includes, but is not limited to:
    *   Reading all data from any table, including session data, password hashes, and personal user information.
    ---
    
    ## References
    
    - https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3
    - https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e
    - https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.