## https://sploitus.com/exploit?id=1337DAY-ID-39116
NLB mKlik Makedonija 3.3.12 SQL Injection
Vendor: NLB Banka AD Skopje
Product web page: https://www.nlb.mk
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production
Affected version: 3.3.12
Summary: NLB mKlik Π΅ ΠΌΠΎΠ±ΠΈΠ»Π½Π° Π°ΠΏΠ»ΠΈΠΊΠ°ΡΠΈΡΠ° Π½Π°ΠΌΠ΅Π½Π΅ΡΠ° Π·Π° ΡΠΈΠ·ΠΈΡΠΊΠΈ Π»ΠΈΡΠ°,
ΠΊΠΎΡΠΈΡΠ½ΠΈΡΠΈ Π½Π° ΡΡΠ»ΡΠ³ΠΈΡΠ΅ Π½Π° ΠΠΠ ΠΠ°Π½ΠΊΠ°, ΠΊΠΎΡΠ° ΠΎΠ²ΠΎΠ·ΠΌΠΎΠΆΡΠ²Π° ΠΏΡΠ΅Π³Π»Π΅Π΄ Π½Π°
ΡΠ°Π·Π»ΠΈΡΠ½ΠΈΡΠ΅ ΠΏΡΠΎΠ΄ΡΠΊΡΠΈ ΠΊΠΎΠΈ ΠΊΠΎΡΠΈΡΠ½ΠΈΡΠΈΡΠ΅ Π³ΠΈ ΠΈΠΌΠ°Π°Ρ Π²ΠΎ ΠΠ°Π½ΠΊΠ°ΡΠ° ΠΊΠ°ΠΊΠΎ ΠΈ
ΠΈΠ·Π²ΡΡΡΠ²Π°ΡΠ΅ Π½Π° ΡΠ°Π·Π»ΠΈΡΠ½ΠΈ Π²ΠΈΠ΄ΠΎΠ²ΠΈ Π½Π° ΡΡΠ°Π½ΡΠ°ΠΊΡΠΈΠΈ Π½Π° Π΅Π΄Π½ΠΎΡΡΠ°Π²Π΅Π½ ΠΈ ΠΏΡΠ΅Π΄
ΡΠ΅ Π±Π΅Π·Π±Π΅Π΄Π΅Π½ Π½Π°ΡΠΈΠ½ Π²ΠΎ Π±ΠΈΠ»ΠΎ ΠΊΠΎΡ ΠΏΠ΅ΡΠΈΠΎΠ΄ ΠΎΠ΄ Π΄Π΅Π½ΠΎΡ. NLB mKlik Π°ΠΏΠ»ΠΈΠΊΠ°ΡΠΈΡΠ°ΡΠ°
ΠΌΠΎΠΆΠ΅ Π΄Π° ΡΠ΅ ΠΊΠΎΡΠΈΡΡΠΈ ΡΠΎ Android Π²Π΅ΡΠ·ΠΈΡΠ° 5.0 ΠΈΠ»ΠΈ ΠΏΠΎΠ½ΠΎΠ²Π°.
Desc: The mobile application or the affected API suffers from an SQL
Injection vulnerability. Input passed to the parameters that are
associated to international transfer is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and disclose
sensitive information.
Tested on: Android 13
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2023-5797
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php
23.12.2022
--
Incident ID: ZSL-122022-NLBTHR
------------------------------
DB data disclosure PoC (international transfer details/description trigger):
++
[select alfa1+' Π΄Π΅Π²ΠΈΠ·Π΅Π½ ΠΏΡΠΈΠ»ΠΈΠ²' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]
-