NLB mKlik Makedonija 3.3.12 SQL Injection ≈ Packet Storm

Home^[1] Files^[2] News^[3] &[SERVICES_TAB] Contact^[4] Add New^[5]

Change Mirror^[12] Download^[13]

        
NLB mKlik Makedonija 3.3.12 SQL Injection
Vendor: NLB Banka AD Skopje
Product web page: https://www.nlb.mk
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production
Affected version: 3.3.12
Summary: NLB mKlik е мобилна апликација наменета за физички лица,
корисници на услугите на НЛБ Банка, која овозможува преглед на
различните продукти кои корисниците ги имаат во Банката како и
извршување на различни видови на трансакции на едноставен и пред
се безбеден начин во било кој период од денот. NLB mKlik апликацијата
може да се користи со Android верзија 5.0 или понова.
Desc: The mobile application or the affected API suffers from an SQL
Injection vulnerability. Input passed to the parameters that are
associated to international transfer is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and disclose
sensitive information.
Tested on: Android 13
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2023-5797
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php
23.12.2022
--
Incident ID: ZSL-122022-NLBTHR
------------------------------
DB data disclosure PoC (international transfer details/description trigger):
++
[select alfa1+' девизен прилив' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]
-

• Follow us on Twitter^[16]
• Follow us on Facebook^[17]
• Subscribe to an RSS Feed^[18]

File Tags

• ActiveX^[19] (932)
• Advisory^[20] (82,537)
• Arbitrary^[21] (16,332)
• BBS^[22] (2,859)
• Bypass^[23] (1,767)
• CGI^[24] (1,029)
• Code Execution^[25] (7,354)
• Conference^[26] (680)
• Cracker^[27] (843)
• CSRF^[28] (3,352)
• DoS^[29] (23,656)
• Encryption^[30] (2,372)
• Exploit^[31] (52,188)
• File Inclusion^[32] (4,231)
• File Upload^[33] (977)
• Firewall^[34] (821)
• Info Disclosure^[35] (2,800)
• Intrusion Detection^[36] (896)
• Java^[37] (3,055)
• JavaScript^[38] (870)
• Kernel^[39] (6,777)
• Local^[40] (14,528)
• Magazine^[41] (586)
• Overflow^[42] (12,790)
• Perl^[43] (1,423)
• PHP^[44] (5,156)
• Proof of Concept^[45] (2,345)
• Protocol^[46] (3,635)
• Python^[47] (1,547)
• Remote^[48] (30,946)
• Root^[49] (3,598)
• Rootkit^[50] (513)
• Ruby^[51] (612)
• Scanner^[52] (1,645)
• Security Tool^[53] (7,915)
• Shell^[54] (3,205)
• Shellcode^[55] (1,216)
• Sniffer^[56] (896)
• Spoof^[57] (2,213)
• SQL Injection^[58] (16,429)
• TCP^[59] (2,417)
• Trojan^[60] (687)
• UDP^[61] (896)
• Virus^[62] (666)
• Vulnerability^[63] (31,942)
• Web^[64] (9,746)
• Whitepaper^[65] (3,753)
• x86^[66] (965)
• XSS^[67] (18,016)
• Other^[68]

File Archives

• October 2023^[69]
• September 2023^[70]
• August 2023^[71]
• July 2023^[72]
• June 2023^[73]
• May 2023^[74]
• April 2023^[75]
• March 2023^[76]
• February 2023^[77]
• January 2023^[78]
• December 2022^[79]
• November 2022^[80]
• Older^[81]

Systems

• AIX^[82] (428)
• Apple^[83] (2,027)
• BSD^[84] (375)
• CentOS^[85] (57)
• Cisco^[86] (1,925)
• Debian^[87] (6,867)
• Fedora^[88] (1,692)
• FreeBSD^[89] (1,246)
• Gentoo^[90] (4,350)
• HPUX^[91] (879)
• iOS^[92] (358)
• iPhone^[93] (108)
• IRIX^[94] (220)
• Juniper^[95] (69)
• Linux^[96] (47,026)
• Mac OS X^[97] (691)
• Mandriva^[98] (3,105)
• NetBSD^[99] (256)
• OpenBSD^[100] (486)
• RedHat^[101] (14,028)
• Slackware^[102] (941)
• Solaris^[103] (1,610)
• SUSE^[104] (1,444)
• Ubuntu^[105] (8,988)
• UNIX^[106] (9,326)
• UnixWare^[107] (186)
• Windows^[108] (6,595)
• Other^[109]

© 2022 Packet Storm. All rights reserved.