Summary
- On 24th May, Adithya S discovered that the Karnataka NIC portal for checking examination results was vulnerable to SQL injection.
- Inputs were not being sanitised, so a SQL query could be injected.
- This allowed the hacker to retrieve other applicants’ results.
- Using ‘A’ OR ‘1’=‘1’ suggested a boolean-based SQL injection could be conducted.
- Using Microsoft SQL Server version detection, S demonstrated the vulnerability.
- This could be used to extract other data from the database, or possibly enumerate all values in a specific field.
- On reporting the vulnerability, S received no response from CERT.
- As the vulnerability remains unpatched, S urges readers to respond with suggestions for resolving the security issue.
By Adithya M S
Original Article