Vianeos OctoPUS Time-Based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in Vianeos OctoPUS version 5. The issue arises in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by sending crafted POST requests that include malicious SQL payloads. These payloads can trigger database sleep functions, allowing attackers to extract information from the database.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a POST request during the authentication process with the 'login_user' parameter. Include a payload that exploits the SQL injection vulnerability by, for example, using a SQL injection technique that relies on time-based responses, such as the 'SLEEP' function. The injection can be verified by observing the delay in the application's response, which indicates that the SQL injection was successful.