Monday, 4 January 2010

Ministry of forests & soil conservation vulnerability

As usual, another government site is vulnerable to SQL injection and this time, it can be used to mass own the server. I don't know why these fucking guys do such a poor coding. I just don't know who's kid, me or these guys.
Anyway, the MySQL>5 allows me to take all DB details and entities in it. Also, the admin panel is vulnerable to login bypass due to lack of filtration of the data.
Below is the screenshot of the logged panel:






Thank you and hope they fix it...