CVE-2019-8979

CRITICAL LAB

Kohana < 3.3.6 - SQL Injection via order_by Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-8979. PoCs published by elttam.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2019-8979, a SQL injection vulnerability in the Koha library management system. The exploit leverages a blind SQL injection via the 'sort' and 'order' parameters in the Member controller, using a bitwise extraction method to dump database information.

Description

Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.

Exploits (1)

nomisec WORKING POC 2 stars

by elttam · poc

https://github.com/elttam/ko7demo

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2019-8979, a SQL injection vulnerability in the Koha library management system. The exploit leverages a blind SQL injection via the 'sort' and 'order' parameters in the Member controller, using a bitwise extraction method to dump database information.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Koha (version not explicitly specified, but CVE-2019-8979 affects Koha < 18.11.03)

No auth needed

Prerequisites: Access to the vulnerable Koha instance · Network connectivity to the target

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/huzr2018/orderby_SQLi

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0320

EPSS Percentile 86.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull mysql:5.7

https://github.com/elttam/ko7demo

https://github.com/huzr2018/orderby_SQLi

View in Library

Details

CWE

CWE-89

Status published

Products (1)

kohanaframework/kohana < 3.3.6

Published Feb 21, 2019

Tracked Since Feb 18, 2026