Researchers from Eioneus found one of the worst SQL Injection Vulnerability in the Employee Provident Fund Organization’s Online Portal. With this Vulnerability, a malicious user can gain access to the entire Provident Fund Database. The flaw is immediately reported to the CERT-IN, NIC to took the immediate actions.
This bug not only gives access to the database but also allows the attacker to take full control of the UAN servers. Researchers are successfully able to extract the data such as Phone Number, Email ID, PAN Number, KYC Details, and Bank Details.
Below are the screenshot of the POC and official mail email communication between Eioneus.
By looking at the POC it is clear that Security Reachers used SQLMap to identify the Vulnerability.
what is SQLmap ?
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
sqlmap.org is the official site of sqlmap you can download and setup the actual sqlmap to find SQL Injection vulnerabilities.
What is SQL Injection? An SQL injection is a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed more can be found on official.
In my next post, I will be sharing what exactly is SQL Injection, Its Types and how to download and setup sqlmap to identify SQL Injection.