Monday, 4 January 2010

Ministry of forests & soil conservation vulnerability

As usual, another government site is vulnerable to SQL injection and this time, it can be used to mass own the server. I don't know why these fucking guys do such a poor coding. I just don't know who's kid, me or these guys.
Anyway, the MySQL>5 allows me to take all DB details and entities in it. Also, the admin panel is vulnerable to login bypass due to lack of filtration of the data.
Below is the screenshot of the logged panel:






Thank you and hope they fix it...

2 comments:

  1. Sorry forgot to quote sam for finding admin panel of the website...

    ReplyDelete
  2. good, i drop by here through keyword "sql injection" via a service call "blogger auto follow" im following u.. hope to see u in my followers list soon and would love to share anything from internet, network and information security stuff.


    regards,
    Hacking Expose! Team

    ReplyDelete