Steps to Reproduce

1. Navigate to https://imagerepo.oberoigroup.com/login.php and authenticate to the application after successfully completing the Email OTP-based 2FA process.

2. From the left sidebar, select any hotel and navigate to any accessible folder within the application.

3. Select a folder and click on the download option while intercepting the request using Burp Suite.

4. Observe that the generated POST request contains the dirIds[] parameter, which is vulnerable to SQL Injection.

5. Use the attached script to extract database names.

Note: Extraction will take time due to the huge size of ZIP files being downloaded.
