| Título | coze-dev coze-studio <= 0.5.1 SQL Injection (CWE-89) / Improper Input Validation (CWE-20) |
|---|
| Descripción | # Technical Details
A critical SQL validation bypass vulnerability was successfully identified in the `ExecuteSQL` operation mapped to the Coze Agent `databaseTool`. By chaining two specific syntax evasion techniques—utilizing MySQL backticks to sidestep uppercase substring verification and leveraging parentheses to deliberately break Regex extraction grouping—an unauthenticated or underprivileged Prompt Injector can execute uncontrolled SQL queries.
# Vulnerable Code
File: backend/domain/memory/database/service/database_impl.go
Method: validateCustomSQL & validateParsedSQL
Why:
1. `validateCustomSQL` strictly attempts to block explicit access to system resources by up-casing the SQL query and inspecting for restricted tokens (e.g., `MYSQL.`). Supplying MySQL identifiers within backticks (`mysql`.`user`) inherently translates to `MYSQL`.`USER` under `ToUpper()`, successfully evading the `strings.Contains` check.
2. `validateParsedSQL` uses a flawed Regular Expression (`regexp.MustCompile`) that forcefully extracts the exact target table name to be verified against a strict whitelist. The expression blindly assumes the SQL table syntax follows `[SPACE] + [OPTIONAL BACKTICK] + [alphanumeric string]`. By enclosing the schema target in a nested extraction boundary `FROM (`, the regex silently fails to capture arrays, allowing the payload through.
# Reproduction
1. Ensure the target host process operates an Agent Endpoint (Coze Studio).
2. Through the Chat API (`/v3/chat`), utilize an Agent that has access to the database tool.
3. Provide a natural language prompt enclosing the malicious SQL syntax satisfying both constraints: `SELECT (SELECT authentication_string FROM (\`mysql\`.\`user\`) LIMIT 1) AS hacked_hash FROM table_123`.
4. The system queries the internal relational database as root, bypassing all application-layer restrictions.
# Impact
- Severe SQL Injection and Unauthorized System Database Access.
- Allows uncontrolled extraction of critical internal database architecture and tenant isolation breaks.
- Extremely high exploitability as LLM prompts provide a near zero-barrier vector for triggering these operations simply via standard Chat UI/API access.
|
|---|
| Fuente | ⚠️ https://gist.github.com/YLChen-007/272fe62967b42259ed767d109615030a |
|---|
| Usuario | Eric-b (UID 96354) |
|---|
| Sumisión | 2026-04-06 05:54 (hace 22 días) |
|---|
| Moderación | 2026-04-25 15:56 (19 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 359602 [ByteDance coze-studio hasta 0.5.1 databaseTool database_impl.go ExecuteSQL inyección SQL] |
|---|
| Puntos | 20 |
|---|