There is a sql injection vulnerability via index.php?m=home&c=message&a=add

![image](https://user-images.githubusercontent.com/16176698/61228435-dee4ad80-a758-11e9-843b-91cc4e6b166e.png)
use time-based bind injection to prove the vulnerability 
![image](https://user-images.githubusercontent.com/16176698/61228605-2c611a80-a759-11e9-8e83-26cc2b66c557.png)
