CVE-2025-6156: Phpgurukul Nipah Virus SQLI Vulnerability

CVE-2025-6156 Overview

CVE-2025-6156 is a SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System 1.0. The flaw resides in the /bwdates-report-ds.php script, where the testtype parameter is passed to a database query without proper sanitization. A remote attacker holding low-privilege credentials can manipulate this parameter to inject arbitrary SQL statements. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic abuse against unpatched deployments. The weakness is tracked under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Authenticated remote attackers can inject SQL through the testtype parameter in /bwdates-report-ds.php, exposing or modifying records stored in the application database.

Affected Products

PHPGurukul Nipah Virus Testing Management System 1.0
Component: /bwdates-report-ds.php
Vulnerable parameter: testtype

Discovery Timeline

2025-06-17 - CVE-2025-6156 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-6156

Vulnerability Analysis

The vulnerability exists in the date-range reporting endpoint /bwdates-report-ds.php. The script accepts the testtype parameter from an HTTP request and concatenates the value directly into a SQL statement. Because the application does not validate, sanitize, or parameterize the input, an attacker can append SQL syntax to break out of the intended query context.

Successful exploitation allows attackers to read patient records, enumerate database schema details, modify report data, or pivot toward authentication bypass through UNION-based or boolean-based queries. The endpoint is reachable over the network and requires only low-privilege credentials, which lowers the bar for exploitation. The PHPGurukul codebase has a history of similar input-handling defects, and the public disclosure on VulDB and GitHub provides attackers with sufficient detail to reproduce the issue.

Root Cause

The root cause is improper neutralization of special elements in user-controlled input ([CWE-74]). The testtype request parameter is interpolated into a SQL query string without prepared statements or input validation, allowing query structure to be altered by attacker-controlled data.

Attack Vector

The attack vector is network-based. An authenticated user with a valid low-privilege session sends a crafted HTTP request to /bwdates-report-ds.php containing SQL metacharacters in the testtype parameter. No user interaction is required, and the technique does not need elevated privileges beyond a standard application account.

No verified proof-of-concept code is available in the referenced sources. Refer to the GitHub issue discussion and VulDB entry #312631 for further technical details on the parameter manipulation.

Detection Methods for CVE-2025-6156

Indicators of Compromise

HTTP requests to /bwdates-report-ds.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or OR 1=1 inside the testtype parameter.
Web server access logs showing unusually long or URL-encoded testtype values from a single source.
Database error messages referencing syntax errors originating from the reporting endpoint.
Unexpected SELECT activity touching unrelated tables shortly after requests to the reporting page.

Detection Strategies

Deploy a Web Application Firewall (WAF) signature that flags SQL keywords and tautologies in the testtype query string.
Enable MySQL general query logging during incident response to correlate inbound requests with executed statements.
Hunt across authenticated session logs for accounts issuing report queries outside normal business patterns.

Monitoring Recommendations

Forward web server, PHP error, and database logs to a centralized analytics platform for correlation.
Alert on HTTP 500 responses from /bwdates-report-ds.php, which often indicate failed injection attempts.
Track authenticated user accounts that suddenly access the reporting endpoint at high frequency.

How to Mitigate CVE-2025-6156

Immediate Actions Required

Restrict access to /bwdates-report-ds.php to trusted internal networks or VPN users until a patch is applied.
Disable or remove the affected reporting feature if it is not required for operations.
Rotate database and application credentials if injection activity is suspected in the logs.
Review accounts created in the application for unauthorized modifications.

Patch Information

No official vendor patch has been published at the time of writing. Monitor the PHPGurukul website for updated releases of the Nipah Virus Testing Management System. Customers running version 1.0 should treat the product as vulnerable until a fixed build is released.

Workarounds

Place the application behind a WAF with rules that block SQL injection patterns in the testtype parameter.
Modify the source to use parameterized queries (PDO prepared statements or mysqli_stmt_bind_param) for all input passed to SQL.
Apply server-side input validation that restricts testtype to an allow-list of expected values.
Run the database account used by the application with the minimum privileges required for reporting.

bash

# Example mod_security rule blocking common SQLi tokens on the affected endpoint
SecRule REQUEST_URI "@contains /bwdates-report-ds.php" \
    "chain,deny,status:403,id:1006156,msg:'CVE-2025-6156 SQLi attempt'"
    SecRule ARGS:testtype "@rx (?i)(union\s+select|or\s+1=1|sleep\(|--|;)" "t:none"