CVE-2018-25339

HIGH

Zechat 1.5 SQL Injection via v parameter (time-based blind)

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25339. PoCs published by L0RD.

AI-analyzed exploit summary The exploit demonstrates SQL injection (Union-based and time-based blind) and CSRF vulnerabilities in Zechat 1.5. It includes functional payloads for SQLi via the 'hashtag' and 'v' parameters, and a CSRF exploit that bypasses anti-CSRF protection using a reflected XSS in the 'hashtag' parameter.

Description

Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the v parameter with sleep-based blind injection to confirm vulnerability and extract data.

Exploits (1)

exploitdb WORKING POC

by L0RD · textwebappsphp

https://www.exploit-db.com/exploits/44685

View Code ZIP pw:eip

The exploit demonstrates SQL injection (Union-based and time-based blind) and CSRF vulnerabilities in Zechat 1.5. It includes functional payloads for SQLi via the 'hashtag' and 'v' parameters, and a CSRF exploit that bypasses anti-CSRF protection using a reflected XSS in the 'hashtag' parameter.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Csrf

Complexity

Moderate

Reliability

Reliable

Target: Zechat 1.5

No auth needed

Prerequisites: Access to the target application · User interaction for CSRF exploit

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 17, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44685

https://www.exploit-db.com/exploits/44685

Product product

Official Product Homepage

https://bylancer.com

Third Party Advisory third-party-advisory

VulnCheck Advisory: Zechat 1.5 SQL Injection via v parameter (time-based blind)

https://www.vulncheck.com/advisories/zechat-sql-injection-via-v-parameter-time-based-blind

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

Bylancer/Zechat 1.5

Published May 17, 2026

Tracked Since May 17, 2026