| عنوان | ujcms 10.0.2 JDBC Connection Injection |
|---|
| الوصف | In the importChanel endpoint of ImportDataController, the application accepts a DataSourceSqlParams object from the user. The code directly passes the user-controlled driverClassName and url parameters to DriverManagerDataSource to establish a database connection.
Due to the lack of validation on the JDBC URL and driver class name, an attacker can exploit this via:
1. Arbitrary File Read: By specifying the MySQL driver and connecting to an attacker-controlled "Rogue MySQL Server". Utilizing the LOAD DATA LOCAL INFILE feature of the MySQL protocol, the malicious server can request the client (victim server) to read and upload arbitrary local files (e.g., /etc/passwd or C:/Windows/win.ini).
2. Remote Code Execution (RCE): If drivers like H2 Database, SQLite, or a vulnerable MySQL driver (susceptible to deserialization attacks) are present in the classpath, the attacker can execute arbitrary system commands by crafting specific JDBC URLs (e.g., using H2's RUNSCRIPT command). |
|---|
| المصدر | ⚠️ https://www.yuque.com/la12138/pa2fpb/gsz2l14wlz8c4nsn?singleDoc |
|---|
| المستخدم | Saul1213 (UID 94577) |
|---|
| ارسال | 10/02/2026 09:29 AM (3 أشهر منذ) |
|---|
| الاعتدال | 21/02/2026 10:11 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 347320 [Dromara UJCMS 10.0.2 ImportDataController import-channel importChanel driverClassName/url تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|