Impact
- Description
SQLBot contains a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server.
The core weakness is:
SSRF via Rogue MySQL Datasource: An attacker can exploit the /api/v1/datasource/check endpoint by configuring a forged MySQL data source with a malicious parameter extraJdbc="local_infile=1". When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled Rogue MySQL server issues a malicious LOAD DATA LOCAL INFILE command during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem (such as /etc/passwd or configuration files) and transmit the contents back to the attacker.
- Impact
This vulnerability allows attackers to extract sensitive files from the SQLBot deployment server. Confirmed material impacts include:
- Reading
/etc/passwd or /etc/shadow to obtain host system account information.
- Reading
/proc/self/environ to extract process environment variables containing database passwords and API keys.
- Impact
This vulnerability allows unauthenticated attackers to extract top-secret files from the SQLBot deployment server. Confirmed material impacts include:
- Reading
/etc/shadow to obtain host system privileged account hashes, enabling offline cracking and subsequent SSH takeover.
- Reading
/proc/self/environ to extract process environment variables containing plaintext database superuser passwords (e.g., POSTGRES_PASSWORD) and third-party cloud service API keys, leading to an immediate compromise of the cloud-native architecture.
- Reading project configuration files (e.g.,
/opt/sqlbot/app/alembic.ini) to further execute source code and structural data reconnaissance.
Ultimately, this vulnerability leads to total database compromise and host cluster manipulation (System Takeover), representing an exceptionally severe security flaw with a very low barrier to exploitation.
POC
- Prerequisites
- The target server hosts an accessible SQLBot network service.
- Login as admin(Many targets on the internet use the publicly known default credentials: admin/SQLBot@123456)
- Steps to Reproduce
- Deploy the Malicious MySQL Trap Listener (Rogue MySQL Server) on the Attacker's Host
Use a Python script to set up a forged Socket service, listening on port, and set the target file to /etc/passwd:
python rogue_mysql.py -p 13317 -f /etc/passwd
- Trigger the Exploit
Log into the system, navigate to “数据源” -> "新建数据源", and select “mysql”. For “主机名/IP地址”, enter the IP address of the host where you ran the script to deploy the rogue MySQL server, and fill in the port you just configured in the script. Crucially, enter “local_infile=1” in the “额外的数据库连接配置” field. You can fill in arbitrary values for the other configuration items.Click “校验” to trigger the vulnerability.
- Observe Verification Results
Subsequently, the specified critical file sent by the target server will be successfully captured on the Rogue MySQL Server side.
Expected terminal echo:
Affected versions: <= 1.6.0
Patches
The vulnerability has been fixed in v1.7.0.
Workarounds
It is recommended to upgrade the version to v1.7.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com
jackieya Finder
Impact
- Description
SQLBot contains a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server.
The core weakness is:
SSRF via Rogue MySQL Datasource: An attacker can exploit the
/api/v1/datasource/checkendpoint by configuring a forged MySQL data source with a malicious parameterextraJdbc="local_infile=1". When the SQLBot backend attempts to verify the connectivity of this data source, an attacker-controlled Rogue MySQL server issues a maliciousLOAD DATA LOCAL INFILEcommand during the MySQL handshake. This forces the target server to read arbitrary files from its local filesystem (such as/etc/passwdor configuration files) and transmit the contents back to the attacker.- Impact
This vulnerability allows attackers to extract sensitive files from the SQLBot deployment server. Confirmed material impacts include:
/etc/passwdor/etc/shadowto obtain host system account information./proc/self/environto extract process environment variables containing database passwords and API keys.- Impact
This vulnerability allows unauthenticated attackers to extract top-secret files from the SQLBot deployment server. Confirmed material impacts include:
/etc/shadowto obtain host system privileged account hashes, enabling offline cracking and subsequent SSH takeover./proc/self/environto extract process environment variables containing plaintext database superuser passwords (e.g.,POSTGRES_PASSWORD) and third-party cloud service API keys, leading to an immediate compromise of the cloud-native architecture./opt/sqlbot/app/alembic.ini) to further execute source code and structural data reconnaissance.Ultimately, this vulnerability leads to total database compromise and host cluster manipulation (System Takeover), representing an exceptionally severe security flaw with a very low barrier to exploitation.
POC
- Prerequisites
- Steps to Reproduce
Use a Python script to set up a forged Socket service, listening on port, and set the target file to
/etc/passwd:Log into the system, navigate to “数据源” -> "新建数据源", and select “mysql”. For “主机名/IP地址”, enter the IP address of the host where you ran the script to deploy the rogue MySQL server, and fill in the port you just configured in the script. Crucially, enter “local_infile=1” in the “额外的数据库连接配置” field. You can fill in arbitrary values for the other configuration items.Click “校验” to trigger the vulnerability.
Subsequently, the specified critical file sent by the target server will be successfully captured on the Rogue MySQL Server side.
Expected terminal echo:
Affected versions: <= 1.6.0
Patches
The vulnerability has been fixed in v1.7.0.
Workarounds
It is recommended to upgrade the version to v1.7.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com