CVE-2018-25167

HIGH

Net-Billetterie 2.9 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25167. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Net-Billetterie 2.9's login.inc.php. The payload bypasses authentication by injecting a crafted SQL query via the 'login' parameter, leveraging the lack of input sanitization.

Description

Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit malicious SQL code through the login POST parameter to extract database information including usernames, passwords, and system credentials.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45863

This exploit demonstrates a SQL injection vulnerability in Net-Billetterie 2.9's login.inc.php. The payload bypasses authentication by injecting a crafted SQL query via the 'login' parameter, leveraging the lack of input sanitization.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Net-Billetterie 2.9
No auth needed
Prerequisites: Access to the login page · PHPSESSID cookie
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45863

Scores

CVSS v3 8.2
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026