The Journey to get “SQL Injection” at BluePay (BLUE Indonesia BluePay) — 2019
Hello, In this article i want to share my experience getting SQL Injection on BluePay (BLUE Indonesia BluePay), I found this vulnerability in 2019 when I was still a Vocational High School and this machine was very popular in my school, and that’s when I tried do Pentest on this Application.
And now BluePay has stopped operating :( And still I will censor the sensitive part
https://www.facebook.com/bluemartindonesia/
About BluePay
PT Bluepay Digital International, an Electronic Money issuing company with the product name BluePay as well as a vending machine manager.
What is SQL injection ?
About SQL Injection which is easy to understand :
1. SQL injection is a code injection technique that might destroy your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the placement of malicious code in SQL statements, via web page input.
How do I get this Vulnerability?
It all started with me trying the Referral Code, and the Usefulness of this Code when this Code is successfully used by other users we will get prizes such as free 1x food or drink pick-up.
And here is one example of the Referral Code I got
And this Referral Code will redirect to another page, and that page is to process whether this code is valid or not.
Here I use cURL to see Response
Exploiting with SQLMap
After I get Response Success as shown above, then I use SQLMap to exploit SQL Injection attacks
And I successfully get SQL Injection on parameter “channel”
Not only that, I also managed to get “352 Tables” in the Database.
Timeline (Sad Ending~)
For this I have tried to report this until 2020, but there is no response from BluePay~
Reference
Thank Kyouuuu All!!!~