Bangladesh Railway , NIMC & Jiban Bima Corporation sites vulnerable to SQL Injection

The Tunisian Hacker, Human Mind Cracker, has claimed to have discovered SQL Injection vulnerability in Top Bangladesh Government websites.

In an email sent to E Hacking News, hacker mentioned that he found SQLi in three Government sites.

Affected Government sites are the official site of Bangladesh Railway(railway.gov.bd) , National Institute of Mass Communication of Bangladesh(NIMC.gov.bd) and Jiban Bima Corporation(JBC.gov.bd).


Hacker managed to breach the database server belong to National Institute of Mass Communication and leaked the stolen data in Hey paste it (heypasteit.com/clip/0NUH)

The database dump contains database table name, name of users, hashed passwords. It contains more than 650+ entries of user data.

The hacker claims that the Bangladesh Gov websites are not secure at all .  As far as i know, not only Bangladesh but also other countries government sites are vulnerable. More than 90% Government websites are vulnerable.

Algerian Bank CPA hacked by Tunisian Hacker


One of the Algerian Banks , Crédit populaire d'Algérie (CPA) Bank is found to be vulnerable to SQL Injection vulnerability.  This critical vulnerability was discovered by a Grey-hat Tunisian Hacker "Human Mind Cracker" who usually targets Bank and Government sites.

In an email sent to EHN, the hacker provided the vulnerable link of the site(cpa-bank.dz).

" I reported to them the vulnerability before I hack into the database,2 days without reply or anything...After that I find that the email that they put it in the website for contact is INVALID mail.So I get into the database." The hacker said.

In a paste(heypasteit.com/clip/0NLX) , hacker dumped the compromised data to prove the severity level of vulnerability.  It contains Username , passwords ,Email addresses, Phone number, Fax and Location.

Bangladesh Post Office site hacked by Human Mind Cracker

A SQL Injection vulnerability has been discovered in official website of Bangladesh Post Office (bangladeshpost.gov.bd). The vulnerability was discovered by the Grey-hat hacker "Human Mind Cracker".

In an email sent to EHN, the hacker provided the vulnerable link and claimed that the site is vulnerable to lot of vulnerabilities.

The hacker breached the site by exploiting the SQL injection vulnerability and compromised the database.

Screenshot of Admin Panel

"I get into their database,and the most funniest thing is that  The passwords is not encrypted with any hash, and this so bad for a website related to a government." the hacker said in the email.

The database dump(heypasteit.com/clip/0N9U) contains database details, username, plain-text format password.  It also includes the admin username and password.

Pakistan army website hacked by Human mind cracker

The Tunisian hacker 'Human Mind Cracker' who discover critical vulnerability in high profile website.Again,this time he hacked into Pakistan Army website  and he get into their Database. He discovered SQL Injection vulnerability in their website 'www.pakistanarmy.gov.pk' .

In an email sent to EHN,the hacker provided us the vunerable link as a proof for his hacking.And he also provided a link to the dump (www.heypasteit.com/clip/0N5T).

" The reason of the hack is just to break the security of that website...I was thinking that Pakistan has a good cyber army but lool also they have a lot of vulnerable websites" hacker said in the email.

The dump contains database details, password, email address, admin id and password.

The hacker always try to hack into governments and banks website to improve his skills and want to know if government mind about security in their website.And the hacker said that more governments websites will be hacked by him soon.

Islami Bank Bangladesh website hacked by Human Mind Cracker

The Tunisian hacker 'Human Mind Cracker' who discover critical vulnerability in high profile website, come with another interesting vulnerability finding. He discovered SQL Injection Vulnerability in one of the Bangladesh Bank website , "Islami Bank Bangladesh Ltd"(islamibankbd.com).

In an email sent to EHN, the hacker provided the vulnerable link and a link to the dump(heypasteit.com/clip/0MWN).

"The vulnerability was SQL injection...I report it many times..but they didn't reply and they didn't fix it yet...So I get into their database." Hacker said in the mail.

The dump contains database details, encrypted password, email address, admin id and password.


He also discovered Cross Site scripting security flaw in Feedback sending page of Islami Bank.

This is not the first time the Bank sites are being targeted by Human Mind cracker.  Last time, he discovered SQLi in Tunisian Bank site. 

The hacker always like to be a Grey Hat hacker and like to help the admin of site by reporting the vulnerability. But the admin fails to respond and fails to patch the security flaw.

South Africa's National Department of Health website hacked

database dumped

A Tunisian greyhat hacker named as "Human Mind Cracker" has claimed to have breached the South Africa's National Department of Health website(doh.gov.za) and compromised the database.

In an email sent to EHN, hacker provided the vulnerable link as well as link to Database dump.  Hacker requested me not to post the vulnerable link.

" The only reason about this hack that i love challenge and I readed a lot about the Moroccan hacker that break into some south Africa website so I just wanted to pentest their security" The hacker told EHN.

The dumped database contains database details, username and hashed passwords.

http://pastebin.com/niCEMbRs

Tunisian hacker 'Human Mind Cracker' discovered SQLi vulnerability in Tunisian Bank sites

XSS in Bank sites

A Grey Hat Hacker with online handle "Human Mind cracker" has discovered SQL Injection vulnerability in some Tunisian Bank websites. Central Bank of Tunisia(bct.gov.tn) and Bank of Tunisia and the UAE (bte.com.tn) are vulnerable to SQLi .

In an email sent to EHN , hacker provided us the vulnerable link and the Proof-of-Concept(POC). As he recommend us not to publish the vulnerable , we are not providing the link here.

According to hacker, he reported the vulnerability to them but they didn't fix the vulnerability so he hacked into the database.

He has published some database information compromised from the server that includes database name and few username.

Also, he has discovered Cross site scripting (XSS) vulnerability in Central Bank of Tunisia,atb.com.tn and Banque de Tunisie(bt.com.tn).

SQL Injection is one of the most critical vulnerability, as attacker can extract the entire database by exploiting it. Banks should really buff up their security measures ,as cyber criminals mainly target Financial institution.