![[Image: qrhalal.png]](https://myehalal.halal.gov.my/domestik/v1/images/qrhalal.png)
███ ███ ██ [REPORT: MyeHalal SQLi Exposure · 2025-06-05]
Origin: Anonymous
Subject: SQL Injection Vulnerability – myehalal.halal.gov.my
Target:
https://myehalal.halal.gov.my
Vulnerability Type:
Unauthenticated SQL Injection → Full Panel Access
Vector:
Login field vulnerable to classic SQLi:
Payload used:
' OR '1'='1' --
Result:
• Bypass of authentication gate
• Admin-level access to portal dashboard
• Retrieval of user-submitted data without credentials
• Evidence of unsanitized backend queries
Impact:
• Access to thousands of records (halal certification applications)
• Downloadable document archive (PDFs of IDs, business forms, certs)
• No CAPTCHA, WAF, or rate limiting
• Unencrypted data at rest and in transit (expired TLS)
• Database tables: `users`, `applications`, `documents`, `audit_log`
Additional Notes:
• No alert triggered. Session remained active for >15 minutes.
• Logs suggest this vulnerability may have been live for years.
• Exploitation required no tools beyond a browser and Burp.
Proof of Concept:
Login POST with payload:
```sql
username=' OR '1'='1' --
password=anything
dm me for the admin panel url
