Share
## https://sploitus.com/exploit?id=1337DAY-ID-39116
NLB mKlik Makedonija 3.3.12 SQL Injection


Vendor: NLB Banka AD Skopje
Product web page: https://www.nlb.mk
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production
Affected version: 3.3.12

Summary: NLB mKlik Π΅ ΠΌΠΎΠ±ΠΈΠ»Π½Π° Π°ΠΏΠ»ΠΈΠΊΠ°Ρ†ΠΈΡ˜Π° Π½Π°ΠΌΠ΅Π½Π΅Ρ‚Π° Π·Π° Ρ„ΠΈΠ·ΠΈΡ‡ΠΊΠΈ Π»ΠΈΡ†Π°,
корисници Π½Π° услугитС Π½Π° НЛБ Π‘Π°Π½ΠΊΠ°, која ΠΎΠ²ΠΎΠ·ΠΌΠΎΠΆΡƒΠ²Π° ΠΏΡ€Π΅Π³Π»Π΅Π΄ Π½Π°
Ρ€Π°Π·Π»ΠΈΡ‡Π½ΠΈΡ‚Π΅ ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚ΠΈ ΠΊΠΎΠΈ корисницитС Π³ΠΈ ΠΈΠΌΠ°Π°Ρ‚ Π²ΠΎ Π‘Π°Π½ΠΊΠ°Ρ‚Π° ΠΊΠ°ΠΊΠΎ ΠΈ
ΠΈΠ·Π²Ρ€ΡˆΡƒΠ²Π°ΡšΠ΅ Π½Π° Ρ€Π°Π·Π»ΠΈΡ‡Π½ΠΈ Π²ΠΈΠ΄ΠΎΠ²ΠΈ Π½Π° трансакции Π½Π° СдноставСн ΠΈ ΠΏΡ€Π΅Π΄
сС Π±Π΅Π·Π±Π΅Π΄Π΅Π½ Π½Π°Ρ‡ΠΈΠ½ Π²ΠΎ Π±ΠΈΠ»ΠΎ кој ΠΏΠ΅Ρ€ΠΈΠΎΠ΄ ΠΎΠ΄ Π΄Π΅Π½ΠΎΡ‚. NLB mKlik Π°ΠΏΠ»ΠΈΠΊΠ°Ρ†ΠΈΡ˜Π°Ρ‚Π°
ΠΌΠΎΠΆΠ΅ Π΄Π° сС користи со Android Π²Π΅Ρ€Π·ΠΈΡ˜Π° 5.0 ΠΈΠ»ΠΈ ΠΏΠΎΠ½ΠΎΠ²Π°.

Desc: The mobile application or the affected API suffers from an SQL
Injection vulnerability. Input passed to the parameters that are
associated to international transfer is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and disclose
sensitive information.

Tested on: Android 13


Vulnerability discovered by Neurogenesia
                            @zeroscience


Advisory ID: ZSL-2023-5797
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php


23.12.2022

--


Incident ID: ZSL-122022-NLBTHR
------------------------------
DB data disclosure PoC (international transfer details/description trigger):

++
[select alfa1+' Π΄Π΅Π²ΠΈΠ·Π΅Π½ ΠΏΡ€ΠΈΠ»ΠΈΠ²' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]

-