dis.uniroma1.it – Blind SQL Injection

2017-06-11: Contacted Webmaster

2017-08-16: Seems they did some fixes

I came from some references by Vietnamese students who studied here. And not too long to discover some funny things here.

Start from https://www.dis.uniroma1.it/~dottoratoii/students/

When I appended ' to one of student’s profile, it appears to have error in SQL, but not so much informations returned.

Seems the webmaster also did some filters of input when I tried to append a query. But no luck, with some more tries, I can easily bypass the filter (eg, use /**/ instead of space/+, …).

Since it’s blind, it takes me more 5 minutes to get total columns of query, then query information_schema to get table list along with column names.

Hollycow, the password is plaintext. I started to feel like a kid.

The Admin panel is located under /admin/, classic.

Leave a Reply

Your email address will not be published. Required fields are marked *