VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25385

CVE-2018-25385

Description

E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai parameter. Attackers can send GET requests to monitor_nilai.php with crafted SQL payloads in the id_partai parameter to extract sensitive database information including admin credentials and user data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

E-Registrasi Pencak Silat 18.10's monitor_nilai.php is vulnerable to unauthenticated SQL injection via the id_partai parameter, leaking credentials.

Vulnerability

E-Registrasi Pencak Silat versions up to and including 18.10 contain an SQL injection vulnerability in the monitor_nilai.php script. The id_partai GET parameter is not sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands. The software is distributed via SourceForge as Pencak Silat Digital Scoring [1][2].

Exploitation

An unauthenticated attacker can send a crafted HTTP GET request to monitor_nilai.php with a malicious SQL payload in the id_partai parameter. The publicly available proof-of-concept [3] uses a UNION-based blind injection technique to extract data. No authentication or special network position is required; the attacker only needs to reach the web application.

Impact

Successful exploitation enables an attacker to execute arbitrary SQL queries, leading to disclosure of sensitive database contents. Specifically, the attacker can extract admin credentials (username and password hashes) and other user data from the database [4]. The confidentiality of the database is fully compromised, and additional attacks (e.g., privilege escalation or data manipulation) may become possible depending on the database privileges.

Mitigation

As of the available references, no official patch has been released. Users of E-Registrasi Pencak Silat 18.10 should consider the application vulnerable and take steps to isolate or replace it. A workaround would involve disabling the monitor_nilai.php endpoint or applying input validation via a web application firewall (WAF). The vendor project on SourceForge has not issued a fixed version [1][2].

References
  1. Download Pencak Silat Digital Scoring
  2. Pencak Silat Digital Scoring
  3. OffSec’s Exploit Database Archive
  4. E-Registrasi Pencak Silat 18.10 SQL Injection via id_partai

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the id_partai parameter allows SQL injection."

Attack vector

An unauthenticated attacker sends a crafted GET request to `monitor_nilai.php` with malicious SQL code in the `id_partai` parameter [ref_id=1]. The PoC demonstrates a UNION-based injection that extracts data from the `admin` table, including `userId`, `username`, and `password` fields [ref_id=1]. Because the application does not require authentication and the parameter is directly interpolated into a SQL query, the attacker can retrieve arbitrary database contents [ref_id=1].

Affected code

The vulnerable endpoint is `monitor_nilai.php`, which accepts the `id_partai` parameter via GET requests [ref_id=1]. The application fails to sanitize or parameterize this input before using it in a SQL query, allowing direct injection of SQL statements [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff [ref_id=1]. To remediate this vulnerability, the application should use prepared statements or parameterized queries for the `id_partai` parameter in `monitor_nilai.php`, and apply input validation to reject non-numeric or unexpected values [ref_id=1].

Preconditions

  • networkThe attacker must be able to reach the web application over the network.
  • authNo authentication or session is required; the endpoint is publicly accessible.
  • inputThe attacker must supply a crafted SQL payload in the id_partai GET parameter.

Reproduction

1. Identify the base URL of the E-Registrasi Pencak Silat 18.10 installation, e.g., `http://localhost/[PATH]/`. 2. Send a GET request to `nilai/monitor_nilai.php?id_partai=[SQL_PAYLOAD]` where `[SQL_PAYLOAD]` is a UNION-based injection such as the URL-encoded payload provided in the PoC [ref_id=1]. 3. Observe the response, which will include extracted database content (e.g., admin credentials) reflected in the output [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.