Share 
## https://sploitus.com/exploit?id=PACKETSTORM:175113
NLB mKlik Makedonija 3.3.12 SQL Injection  
  
  
Vendor: NLB Banka AD Skopje  
Product web page: https://www.nlb.mk  
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production  
Affected version: 3.3.12  
  
Summary: NLB mKlik Π΅ ΠΌΠΎΠ±ΠΈΠ»Π½Π° Π°ΠΏΠ»ΠΈΠΊΠ°Ρ†ΠΈΡ˜Π° Π½Π°ΠΌΠ΅Π½Π΅Ρ‚Π° Π·Π° Ρ„ΠΈΠ·ΠΈΡ‡ΠΊΠΈ Π»ΠΈΡ†Π°,  
корисници Π½Π° услугитС Π½Π° НЛБ Π‘Π°Π½ΠΊΠ°, која ΠΎΠ²ΠΎΠ·ΠΌΠΎΠΆΡƒΠ²Π° ΠΏΡ€Π΅Π³Π»Π΅Π΄ Π½Π°  
Ρ€Π°Π·Π»ΠΈΡ‡Π½ΠΈΡ‚Π΅ ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚ΠΈ ΠΊΠΎΠΈ корисницитС Π³ΠΈ ΠΈΠΌΠ°Π°Ρ‚ Π²ΠΎ Π‘Π°Π½ΠΊΠ°Ρ‚Π° ΠΊΠ°ΠΊΠΎ ΠΈ  
ΠΈΠ·Π²Ρ€ΡˆΡƒΠ²Π°ΡšΠ΅ Π½Π° Ρ€Π°Π·Π»ΠΈΡ‡Π½ΠΈ Π²ΠΈΠ΄ΠΎΠ²ΠΈ Π½Π° трансакции Π½Π° СдноставСн ΠΈ ΠΏΡ€Π΅Π΄  
сС Π±Π΅Π·Π±Π΅Π΄Π΅Π½ Π½Π°Ρ‡ΠΈΠ½ Π²ΠΎ Π±ΠΈΠ»ΠΎ кој ΠΏΠ΅Ρ€ΠΈΠΎΠ΄ ΠΎΠ΄ Π΄Π΅Π½ΠΎΡ‚. NLB mKlik Π°ΠΏΠ»ΠΈΠΊΠ°Ρ†ΠΈΡ˜Π°Ρ‚Π°  
ΠΌΠΎΠΆΠ΅ Π΄Π° сС користи со Android Π²Π΅Ρ€Π·ΠΈΡ˜Π° 5.0 ΠΈΠ»ΠΈ ΠΏΠΎΠ½ΠΎΠ²Π°.  
  
Desc: The mobile application or the affected API suffers from an SQL  
Injection vulnerability. Input passed to the parameters that are  
associated to international transfer is not properly sanitised before  
being returned to the user or used in SQL queries. This can be exploited  
to manipulate SQL queries by injecting arbitrary SQL code and disclose  
sensitive information.  
  
Tested on: Android 13  
  
  
Vulnerability discovered by Neurogenesia  
@zeroscience  
  
  
Advisory ID: ZSL-2023-5797  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php  
  
  
23.12.2022  
  
--  
  
  
Incident ID: ZSL-122022-NLBTHR  
------------------------------  
DB data disclosure PoC (international transfer details/description trigger):  
  
++  
[select alfa1+' Π΄Π΅Π²ΠΈΠ·Π΅Π½ ΠΏΡ€ΠΈΠ»ΠΈΠ²' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]  
  
-