# CVE-2025-67261 - Content-based blind SQL injection on Abacre Retail Point of Sale 14.0.0.396

Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page.

The "Search" function under the "Orders" page is vulnerable to Content-based Blind SQL Injection.

<img width="1512" height="759" alt="Pasted image 20251028224616" src="https://github.com/user-attachments/assets/2226134d-69b7-4a2e-98e1-2a66908b21bf" />

A simple payload will give us the initial confirmation, then, using the query below we can confirm that the "Client" table exist in the Firebird database file.

```SQL
') OR EXISTS(SELECT 1 FROM Client)--
```

<img width="1630" height="233" alt="Pasted image 20251028225040" src="https://github.com/user-attachments/assets/5d24e6a8-5056-4c71-abe8-ce029aac2b36" />

When executing, we do receive content. To confirm this even further, we can go to the "Clients" tab and trigger a SQL error, which will give us the name of the table.

<img width="1077" height="499" alt="Pasted image 20251028225157" src="https://github.com/user-attachments/assets/8a366b3f-726a-421a-95ce-e0a8ed240a4c" />

Within the same tab, we confirm that we have 4 clients registered in the database.

<img width="485" height="197" alt="Pasted image 20251028225426" src="https://github.com/user-attachments/assets/b938aa6a-c189-49f1-b87f-4e84634c4740" />

However, we can also search for it in our vulnerable parameter. If we search for only 3 entries, nothing is returned back.

```SQL
') OR (SELECT COUNT(*) FROM Client)=3--
```

<img width="1910" height="361" alt="Pasted image 20251028225548" src="https://github.com/user-attachments/assets/1fbaeab0-e7a5-4baa-9e02-dc428dbe4873" />

But when searching for 4, we now get a true result.

<img width="1877" height="320" alt="Pasted image 20251028225623" src="https://github.com/user-attachments/assets/32a0c44f-eaa5-49c8-b063-e88545c7ec11" />