Found it here:

http://www.jpcsp.org/index.php?p=Compat&c=b

To see what I'm talking about, change the trailing 'b' on that URL to '

__________________

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1"

?

__________________

Exactly. That's how you know it's vulnerable lol.

Good find Chris, however there isn't much to be done with that site. I aim for exploiting a lot of oscommerce or other shopping sites, since you can sometimes get access to customer information and sell them on sites such as cardersplace.info, infraud.cc, carder.su, etc...

__________________

Do explain. It just looks like an error to me

__________________

yah us un1337 haqers don't know what you're all gibber gabbing about.

Basically, that error seems to indicate that it's just plugging the value from the URL directly into an SQL query without sanitizing it (removing special characters like the single-quote, ' ). If one were so inclined, they could take advantage of this by injecting their own code into the query, by changing that string to something like

Robert'); DROP TABLE students;--

And because their shitty website doesn't bother to make sure that string is safe before plugging it in, the parser will execute the command to drop the entire table named 'students' if there is one. Could do all sorts of fun things with this.

I thought there was an update a while ago that made it so you can't do multiple commands in a single query. So the whole

[COMMAND]; [COMMAND] doesn't work --
if the SQL query is SELECT * FROM students WHERE i = (url input), you couldn't write 1'; DROP TABLE students;--

If I'm wrong and you CAN run multiple commands, then I must've been doing it wrong and lost profit on tons of systems.

__________________

And how does SQL injection relate to profit at all? I'm seriously lost here, haha.

__________________

No idea, I've only got the vaguest understanding of PHP/SQL security right now. That description was from my own memory rather than a more reliable source, so it's likely not entirely accurate or up to date.



Well, like Rick said, you can sometimes get the site to dump out all sorts of information that might be worth something in the seedier parts of the interwebs, like credit card info or mailing/email addresses for spam.

Exactly. It's rare that oscommerce sites store cc info, but every once in a while you can find one that does. A DB with thousands of valid CCs can be sold for quite a bit of money. You don't even have to use the cards yourself, thus making it a little safer.

You can also harvest emails and sell them to spam companies. I hacked the pentel db (www.pentel.com) a while back, it had hundreds of thousands of email addresses. I sold them for a couple hundred bucks, which is pretty cheap considering they were all unique and non-public emails.

The pentel DB also had the passwords to all those emails (the password for their login for the site) -- I ran that with a Paypal checker, testing those emails with the passwords, and got a few thousand working PPs as well.

__________________