SIM PMB Sistem Informasi Mahasiswa Pendaftaran Mahasiswa Baru Bypass SQL Login Pendaftar

2019.03.04

Negat1ve1337 (ID)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

[+]Exploit Title: SIM PMB Sistem Informasi Mahasiswa Pendaftaran Mahasiswa Baru Bypass SQL Login Pendaftar
[+]Author: Negat1ve
[+]Team: -1
[+]Goolge Dork: Still Thinking lol :D
[+]Tested on: Windows 10 x64
=======================================
[+]Proof Of Concept:
Find website with "Login Pendaftar" vulnerability bypass
How do we know its vuln? It giving a sign
"Untuk melihat hasil test Anda, silahkan login dengan mengisi form di bawah ini."
Login with this detail
user: ' or 1=1 limit 1 -- -+
password: ' or 1=1 limit 1 -- -+
You can upload your shell/script via Image Uploader or you can find KTP/KK/Ijasah Uploader
NB:
- Upload your script with .php.jpg extension
- I just tired for explore the uploaded path but i know where :3 try harder for explore it, happy hacking
Demo sites:
http://pmb.unsada.ac.id/login
http://pmb.unisda.ac.id/login
http://pmb.umg.ac.id/login
Greetz: Electronic Thunderbolt Team - Giant-ps - Anonymous arabe - special for Posit1ve ( my gf )

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SIM PMB Sistem Informasi Mahasiswa Pendaftaran Mahasiswa Baru Bypass SQL Login Pendaftar

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.