CVE-2025-7161: Zoo Management System SQL Injection Flaw

CVE-2025-7161 Overview

CVE-2025-7161 is a SQL injection vulnerability in PHPGurukul Zoo Management System 2.1. The flaw resides in /admin/add-normal-ticket.php, where the cprice parameter is incorporated into a database query without proper sanitization. An authenticated remote attacker can manipulate the cprice argument to inject arbitrary SQL statements. The issue is classified under [CWE-74] (Improper Neutralization of Special Elements in Output). Public disclosure of the exploit technique has occurred, making opportunistic exploitation feasible against exposed installations.

Critical Impact
Authenticated attackers can inject SQL through the cprice parameter on the admin ticket page, potentially reading or modifying back-end database content remotely.

Affected Products

PHPGurukul Zoo Management System 2.1
Component: /admin/add-normal-ticket.php
CPE: cpe:2.3:a:phpgurukul:zoo_management_system:2.1:*:*:*:*:*:*:*

Discovery Timeline

2025-07-08 - CVE-2025-7161 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-7161

Vulnerability Analysis

The vulnerability affects the administrative ticket creation workflow in PHPGurukul Zoo Management System 2.1. When an administrator submits ticket data, the cprice parameter is passed into a back-end SQL statement without parameterization or input validation. An attacker holding low-privilege admin credentials can append SQL syntax to the cprice value to alter query logic.

Successful exploitation enables unauthorized read or modification of database contents handled by the ticketing module. Because the application is PHP-based and the injection point sits in an administrative endpoint reachable over HTTP, the attack can be launched remotely once authentication is obtained. The vulnerability falls under [CWE-74] for improper neutralization of special elements.

The current EPSS probability is 0.268%, reflecting limited observed exploitation activity. However, working exploit details have been published, and PHPGurukul applications are frequently deployed in lab and small-business environments where patching cadence is inconsistent.

Root Cause

The root cause is the direct concatenation of user-supplied input from the cprice field into a SQL query string. The application does not use prepared statements, parameterized queries, or input filtering routines such as mysqli_real_escape_string for this parameter. Any character with SQL meaning (quotes, semicolons, comment markers) is interpreted by the database engine rather than treated as literal data.

Attack Vector

The attack vector is network-accessible HTTP traffic to the admin interface. An attacker must possess low-privilege admin access to reach /admin/add-normal-ticket.php. The attacker submits a crafted POST request where cprice contains SQL payloads designed to extract data via UNION-based or boolean-based techniques. No user interaction is required after authentication. See the GitHub Issue on myCVE for the disclosed proof-of-concept details.

Detection Methods for CVE-2025-7161

Indicators of Compromise

HTTP POST requests to /admin/add-normal-ticket.php containing SQL meta-characters (single quotes, UNION, SELECT, --, /*) in the cprice parameter
Unexpected database errors in PHP application logs referencing the ticket insertion query
Anomalous outbound traffic from the web server following admin ticket submissions

Detection Strategies

Deploy web application firewall (WAF) rules to inspect POST bodies submitted to ticket endpoints for SQL injection signatures
Enable MySQL general query logging temporarily to identify malformed or unusually long INSERT statements originating from the ticketing module
Correlate admin session activity with database query patterns to flag deviation from baseline ticket-creation behavior

Monitoring Recommendations

Monitor authentication logs for unusual admin login sources or brute-force attempts preceding ticket creation
Alert on HTTP 500 responses from /admin/add-normal-ticket.php, which often indicate failed injection attempts
Track database user activity for unexpected SELECT queries against sensitive tables outside normal application workflow

How to Mitigate CVE-2025-7161

Immediate Actions Required

Restrict network access to the /admin/ directory using IP allow-lists or VPN-only access until a patch is applied
Rotate administrator credentials and review admin account inventory for unauthorized additions
Audit the tbltickets or equivalent ticketing tables for unexpected modifications since deployment

Patch Information

No official vendor patch has been published for PHPGurukul Zoo Management System 2.1 at the time of writing. Operators should monitor the PHP Gurukul website for updated releases and apply any forthcoming fixes immediately. Until a vendor release is available, mitigations should be applied at the application or infrastructure layer.

Workarounds

Modify /admin/add-normal-ticket.php locally to use parameterized queries (mysqli_prepare with bound parameters) for the cprice field
Add server-side input validation to enforce numeric-only values for cprice before passing it to any SQL statement
Deploy a WAF rule blocking SQL meta-characters in POST parameters to administrative endpoints

bash

# Example ModSecurity rule to block SQLi attempts on the vulnerable endpoint
SecRule REQUEST_URI "@streq /admin/add-normal-ticket.php" \
    "phase:2,chain,deny,status:403,id:1007161,msg:'CVE-2025-7161 SQLi attempt'"
    SecRule ARGS:cprice "@rx (?i)(union|select|insert|--|;|/\*|\bor\b|\band\b)" \
        "t:none,t:urlDecodeUni"