CVE-2025-25349
📋 TL;DR
CVE-2025-25349 is a critical SQL injection vulnerability in PHPGurukul Daily Expense Tracker System v1.1 that allows attackers to execute arbitrary SQL commands through the costitem parameter in /dets/add-expense.php. This affects all users running the vulnerable version, potentially compromising the entire database.
💻 Affected Systems
- PHPGurukul Daily Expense Tracker System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.
Likely Case
Unauthorized data extraction from the expense tracker database, including sensitive financial records and user information.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.
🎯 Exploit Status
The GitHub reference contains detailed exploitation writeup. SQL injection is straightforward with common tools like sqlmap.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Implement parameterized queries in add-expense.php by replacing direct variable insertion with prepared statements using PDO or mysqli.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to sanitize the costitem parameter before processing
Edit /dets/add-expense.php to add: $costitem = mysqli_real_escape_string($conn, $_POST['costitem']);
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns in the costitem parameter
ModSecurity rule: SecRule ARGS:costitem "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Disable or restrict access to /dets/add-expense.php endpoint via web server configuration
- Implement network segmentation to isolate the expense tracker system from sensitive databases
🔍 How to Verify
Check if Vulnerable:
Test the costitem parameter with SQL injection payloads like: costitem=test' OR '1'='1Check Version:
Check version in application files or database configuration, typically in includes/config.php or similarVerify Fix Applied:
Verify that parameterized queries are implemented and test with SQL injection payloads that should be rejected📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple failed login attempts following SQL injection patterns
- Unexpected database queries from web application
Network Indicators:
- HTTP POST requests to /dets/add-expense.php with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_server.log" AND uri_path="/dets/add-expense.php" AND (param="costitem" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;|')")