CVE-2018-25338

HIGH

Zechat 1.5 SQL Injection via hashtag parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25338. PoCs published by L0RD.

AI-analyzed exploit summary The exploit demonstrates SQL injection via the 'hashtag' and 'v' parameters, and a CSRF attack leveraging a reflected XSS in the 'hashtag' parameter to bypass anti-CSRF protections. It includes functional payloads for both SQLi and CSRF attacks.

Description

Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit the hashtag parameter with union-based payloads to retrieve table and column names.

Exploits (1)

exploitdb WORKING POC

by L0RD · textwebappsphp

https://www.exploit-db.com/exploits/44685

View Code ZIP pw:eip

The exploit demonstrates SQL injection via the 'hashtag' and 'v' parameters, and a CSRF attack leveraging a reflected XSS in the 'hashtag' parameter to bypass anti-CSRF protections. It includes functional payloads for both SQLi and CSRF attacks.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Csrf

Complexity

Moderate

Reliability

Reliable

Target: Zechat 1.5

No auth needed

Prerequisites: access to the target application · ability to craft malicious URLs or forms

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 17, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44685

https://www.exploit-db.com/exploits/44685

Product product

Official Product Homepage

https://bylancer.com

Third Party Advisory third-party-advisory

VulnCheck Advisory: Zechat 1.5 SQL Injection via hashtag parameter

https://www.vulncheck.com/advisories/zechat-sql-injection-via-hashtag-parameter

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Bylancer/Zechat 1.5

Published May 17, 2026

Tracked Since May 17, 2026