The Journey to get “SQL Injection” at BluePay (BLUE Indonesia BluePay) — 2019


Hello, In this article i want to share my experience getting SQL Injection on BluePay (BLUE Indonesia BluePay), I found this vulnerability in 2019 when I was still a Vocational High School and this machine was very popular in my school, and that’s when I tried do Pentest on this Application.

And now BluePay has stopped operating :( And still I will censor the sensitive part

About BluePay

PT Bluepay Digital International, an Electronic Money issuing company with the product name BluePay as well as a vending machine manager.

What is SQL injection ?

About SQL Injection which is easy to understand :
1. SQL injection is a code injection technique that might destroy your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the placement of malicious code in SQL statements, via web page input.

How do I get this Vulnerability?

It all started with me trying the Referral Code, and the Usefulness of this Code when this Code is successfully used by other users we will get prizes such as free 1x food or drink pick-up.

And here is one example of the Referral Code I got

Referral Code

And this Referral Code will redirect to another page, and that page is to process whether this code is valid or not.
Here I use cURL to see Response

Response Success

Exploiting with SQLMap

After I get Response Success as shown above, then I use SQLMap to exploit SQL Injection attacks


And I successfully get SQL Injection on parameter “channel

Not only that, I also managed to get “352 Tables” in the Database.

Timeline (Sad Ending~)

For this I have tried to report this until 2020, but there is no response from BluePay~

So saddd~


Thank Kyouuuu All!!!~

Follow Me



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store