PoC: Bypass Input with SQL Injection to Gaining Information in SMK Maarif Terpadu Cicalengka and…

1 month ago 40
BOOK THIS SPACE FOR AD
ARTICLE AD

Baradika

(For the SMK Maarif, i only have few screenshoots and proof, cus the website has gone)

in SMK Maarif Terpadu Cicalengka website, there a page for PEMBAGIAN KELAS that we can input of the NIS of the school student. Even the input bar has some specific word to input it(SMarT), we can bypass it with SQL Injection.

Im using this SQL Injection payload, to gain some information

‘or 1=1 limit 1 — -+

and i got this information about

as you can see, there is link of the class group, if someone iseng want to abuse it, they can.

and also i already report this to the informatics teacher there.

In page of the school website, there is page called Pengumuman Kelulusan, and there is ofc has input bar, so i tried to input some SQL Injection payload, and i got this with this payload

its not critical, cus its just information about graduation of their students, but as always, vuln is vuln, even its just a little thing information, if u dont cares as web developer, u can loss something important in ur website, just if u dont care.

and also i reported it, but not to the teacher, cus i dont have information contact about the informatic teacher, and i decided to tell it to my elementary school, and this is how he respond it

Read Entire Article