Food Ordering Review System SQL Injection Vulnerability

漏洞信息

漏洞名称： Food Ordering Review System SQL Injection Vulnerability

漏洞编号：

• CVE： CVE-2025-8018

漏洞类型： SQL注入

漏洞等级： 高危

漏洞描述： Food Ordering Review System v1.0是一款用于在线订餐和评价的系统，广泛应用于餐饮行业，提供用户订餐、评价等功能。该系统在典型部署场景中作为Web应用组件，用于餐饮企业的在线服务。该系统中发现的SQL注入漏洞位于reservation_page.php文件的reg_Id参数，属于未认证的SQL注入类型。漏洞的技术根源在于对用户输入的处理不当，未对reg_Id参数进行充分的验证和过滤，导致攻击者可以通过构造恶意输入执行任意SQL查询。此漏洞的严重性在于，攻击者无需认证即可利用该漏洞，通过UNION-和时间基础的SQL注入技术，提取数据库中的敏感信息，如用户表中的用户名和密码。此外，攻击者还可以利用此漏洞进行数据提取，包括通过盲注技术猜测字段长度，进一步增加了数据泄露的风险。此漏洞的存在使得受影响系统面临严重的安全威胁，可能导致敏感数据泄露、服务中断等问题。

产品名称： Food Ordering Review System

影响版本： 1.0

来源： https://github.com/drackyjr/CVE-2025-8018

类型： CVE-2025:github search

仓库文件

• LICENSE
• README.md
• cve-2025-8018.py

来源概述

CVE-2025-8018 Exploit – Food Ordering Review System v1.0

This repository provides a Python proof-of-concept (PoC) exploit for CVE‑2025‑8018, a high-severity SQL Injection vulnerability discovered in the Food Ordering Review System v1.0. The vulnerability is triggered via the reg_Id parameter in reservation_page.php.

📌 Vulnerability Overview

• Type: SQL Injection (Unauthenticated)
• Affected File: /user/reservation_page.php
• Vulnerable Parameter: reg_Id
• Disclosure Date: July 22, 2025
• CVE Reference: CVE-2025-8018
• Impact: Allows attackers to execute arbitrary SQL queries, including data extraction from the users table, without authentication

💡 Exploit Features

1. Time-based blind SQL injection check using SLEEP()
2. Column-count discovery using UNION SELECT NULL,NULL,...
3. Data extraction (e.g., usernames, passwords) via UNION-based injection
4. Blind fallback extraction to guess field lengths if direct output isn’t visible

🛠️ Requirements

• Python 3.x
• requests library

Install dependencies:

pip install requests

How to Use
Clone the repository:

git clone https://github.com/drackyjr/CVE-2025-8018.git
cd CVE-2025-8018

Update the target URL:

Open cve-2025-8018.py and modify:

TARGET_URL = “http://TARGET-IP/user/reservation_page.php“
Replace TARGET-IP with the actual address of the vulnerable system.

Run the exploit script:

python3 cve-2025-8018.py

Output

[*] Checking time-based SQLi with payload: 1 AND SLEEP(5)-- 
[+] Blind SQL injection confirmed!
[*] Testing how many columns the query expects...
[+] Looks like 3 columns work!
[*] Trying to extract data using UNION-based SQL injection...
[+] Found potential credentials in the response!
[*] Trying blind extraction fallback...
[+] Username is 7 characters long!

⚠️ Disclaimer
This PoC is provided strictly for educational purposes, such as CTF challenges, cybersecurity training, or defense testing on your own systems.

Do not use this against any production systems or systems you do not have explicit permission to test. The author and any associated parties are not responsible for misuse or damage resulting from the code.