Saturday, August 22, 2015

SQL Injection in DLSU's main website

De La Salle University is one of the Philippines' most prestigious universities and is included in the "Top 4 universities and colleges in the Philippines". However, their site has an SQL injection vulnerability. I have reported it to them the past 2 years (since I was 3rd year High School) but got no reply.
There are many vulnerable parameters. Among them is this:
http://www.dlsu.edu.ph/faculty/fis/alpha_list.asp?letter=B%27

Notice the string (%27) which will say whether it can be injected or not.

POC: 



That's all












No comments:

Post a Comment