CVE-2018-25390
Description
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HaPe PKH 1.1 is vulnerable to unauthenticated SQL injection via the 'desa' parameter, enabling attackers to extract sensitive database information.
Vulnerability
HaPe PKH version 1.1 contains a SQL injection vulnerability in the lap-peserta-perdesa-pdf.php script. The desa POST parameter is not properly sanitized, allowing an unauthenticated attacker to inject arbitrary SQL commands. The application is a PHP-based web application using a SQL database, and the vulnerable code is reachable without any authentication [1][3].
Exploitation
An attacker can send a crafted HTTP POST request to /hape-pkh/lap-peserta-perdesa-pdf.php with a malicious desa parameter containing a time-based blind SQL injection payload (e.g., 1' AND (SELECT * FROM (SELECT(SLEEP(5)))X)-- X). No authentication or special privileges are required. The attacker can also exploit other parameters (id, nama_kelompok) in related scripts exposed to unauthenticated users [1].
Impact
Successful exploitation allows an attacker to infer and extract sensitive data from the database, including user credentials, application data, and database version information. The impact is primarily information disclosure, as the injection is blind (time-based), but may also lead to data modification or further compromise depending on database permissions [1][3].
Mitigation
As of the latest available references, no official patch has been released. The vendor's project page on SourceForge indicates version 1.0 as the latest [2]. Users should consider implementing input validation and parameterized queries to prevent SQL injection, or discontinue use of the vulnerable software until a fix is available. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `desa` POST parameter allows direct SQL command injection."
Attack vector
An unauthenticated attacker sends a POST request to `lap-peserta-perdesa-pdf.php` with a crafted `desa` parameter containing SQL injection payloads. The exploit-db entry [ref_id=1] demonstrates a time-based blind payload using `SLEEP(5)` to confirm injection, as well as `UNION SELECT` payloads that extract database user, database name, and version via `CONCAT_WS`. Because no authentication is required and the application runs over HTTP, the attack is trivially exploitable from any network position.
Affected code
The vulnerability exists in `lap-peserta-perdesa-pdf.php` where the `desa` POST parameter is directly concatenated into SQL queries without sanitization. The exploit-db entry [ref_id=1] shows the same pattern in multiple files including `lap-anggota-kelompok-pdf.php`, `admin/media.php` (several modules), and `aksi_pengurus.php`/`aksi_update.php`.
What the fix does
The bundle does not contain a patch. Based on the advisory [ref_id=1], the remediation would require parameterized queries or prepared statements for all user-supplied input in the affected PHP files, particularly the `desa`, `nama_kelompok`, and `id` parameters. Without a fix, an attacker can extract the entire database contents.
Preconditions
- authNo authentication required; the vulnerable endpoint is publicly accessible.
- networkAttacker must be able to send HTTP POST requests to the target server.
- inputThe `desa` POST parameter is accepted without sanitization.
Reproduction
Send a POST request to `http://localhost/hape-pkh/lap-peserta-perdesa-pdf.php` with body `desa=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58` (URL-decoded: `' AND (SELECT * FROM (SELECT(SLEEP(5)))X)-- X`). A 5-second delay confirms the injection [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.