G-Ticket v70 EME104 CVE-2018-10284 SQL Injection

Authors:traceprobe             Risk:High

CVE:CVE-2018-10284            0day:SQL Injection

0day-id:0DAY-10284             Date:2018-04-22

Summary

Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter.

Background

WHAT IS G-TICKET? G-Ticket is an innovative and complete online platform that allows you to manage and execute all ticket sales and validation processes, whether at points of sale, online store, facebook, mobile or box office, being customized with your logo to have your own business and make your brand appear and grow. ‘”

Proof of Concept

localhost/[PATH]/mobile-loja/mensagem.asp?msgid=0&msgstr=Venda%20on-line%20encerrada.%20Adquira%20seu%20ingresso%20nos%20pontos%20oficiais%20ou%20na%20bilheteria%20do%20evento.&eve_cod=[SQL]

Timeline

Reported failure 08/28/2017
Reply 09/28/2017
Correction ?? (to date the fault has not yet been fixed)
Post 01/22/2018

Credit

Ring0

Leave a Reply