Impact
- Description
SQLBot contains a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint's Excel file processing logic. An attacker can upload a specially crafted Excel file with a malicious Sheet name to inject arbitrary SQL fragments, ultimately achieving Remote Code Execution (RCE) on the server.
The core weakness lies in two pieces of code in the backend:
Flaw 1: Table name directly concatenates Sheet name (no sanitization)
backend/apps/datasource/api/datasource.py#L351:
This line directly concatenates the Excel Sheet name (sheet_name) with an underscore _ and a 10-character random hash to form the PostgreSQL table name, without any special character filtering on the Sheet name. For example, when an attacker sets the Sheet name to a malicious SQL fragment like chat"FROM PROGRAM'id>/tmp/x'--, the generated tableName becomes:
chat"FROM PROGRAM'id>/tmp/x'--_e1049707f4
Flaw 2: Table name embedded directly into COPY SQL statement (SQL Injection)
backend/apps/datasource/api/datasource.py#L385-L388:
This code uses a Python f-string to embed the above tableName directly into the COPY SQL statement's double-quoted identifier, without using parameterized queries.
Since a double quote " in the Sheet name can close the SQL identifier quoting, an attacker can inject a TO PROGRAM 'command' clause into the Sheet name, causing PostgreSQL to pipe query results into an operating system shell for execution.
Although the Excel specification limits Sheet names to a maximum of 31 characters, an attacker can bypass this limitation through a two-stage injection technique to achieve arbitrary-length command execution:
- Stage 1 (Payload Staging): Upload a normal Excel file with Sheet name
s. Its data rows contain complete shell script commands. The backend, following the logic at line 351, constructs the table name as s_<10-char-random-hash> (e.g., s_0425a81fc8) and stores the Excel data into that table. The full table name is returned in the HTTP response.
- Stage 2 (Trigger): Upload an XML-tampered Excel file (bypassing the Excel library's Sheet name character validation) with the Sheet name set to
s_0425a81fc8"TO PROGRAM'sh'-- (only 29 characters). After backend concatenation, the resulting SQL is:
COPY "s_0425a81fc8"TO PROGRAM'sh'--_<new_hash>" FROM STDIN WITH CSV DELIMITER E'\t'
-- PostgreSQL actually parses this as:
COPY "s_0425a81fc8" TO PROGRAM 'sh' (everything after -- is a comment, ignored)
s_0425a81fc8 table data line-by-line into the sh process for execution, achieving arbitrary-length command execution.
- Impact
This vulnerability allows any authenticated user (including the lowest-privileged regular user) to directly take over the SQLBot backend server. Confirmed material impacts include:
- Remote Code Execution (RCE): Execute arbitrary system commands with
postgres (uid=999) user privileges, including reverse shells.
- Sensitive File Exfiltration: Read
/etc/passwd, /etc/shadow, application configuration files, and other sensitive data from the server.
- Complete Database Takeover: Since the exploit runs under the
postgres user, the attacker gains full control over the entire PostgreSQL database.
POC
- Prerequisites
- The target server hosts an accessible SQLBot network service.
- A valid regular user account (administrator privileges are NOT required). Many internet-facing targets use default public credentials:
admin/SQLBot@123456 , resulting in a very large attack surface.
- Steps to Reproduce
- Execute the Exploit Script
Launch the attack against the target using the PoC script:
python3 poc.py http://target:port/ -u test -p SQLBot@123456 "id > /tmp/pwned"
Verify command execution results:
- Demonstrate Reverse Shell
Affected versions
<= v1.6.0
Patches
The vulnerability has been fixed in v1.7.0.
Workarounds
It is recommended to upgrade the version to v1.7.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com
jackieya Finder
Impact
- Description
SQLBot contains a critical SQL Injection vulnerability in the
/api/v1/datasource/uploadExcelendpoint's Excel file processing logic. An attacker can upload a specially crafted Excel file with a malicious Sheet name to inject arbitrary SQL fragments, ultimately achieving Remote Code Execution (RCE) on the server.The core weakness lies in two pieces of code in the backend:
Flaw 1: Table name directly concatenates Sheet name (no sanitization)
backend/apps/datasource/api/datasource.py#L351:This line directly concatenates the Excel Sheet name (
sheet_name) with an underscore_and a 10-character random hash to form the PostgreSQL table name, without any special character filtering on the Sheet name. For example, when an attacker sets the Sheet name to a malicious SQL fragment likechat"FROM PROGRAM'id>/tmp/x'--, the generatedtableNamebecomes:Flaw 2: Table name embedded directly into COPY SQL statement (SQL Injection)
backend/apps/datasource/api/datasource.py#L385-L388:This code uses a Python f-string to embed the above
tableNamedirectly into theCOPYSQL statement's double-quoted identifier, without using parameterized queries.Since a double quote
"in the Sheet name can close the SQL identifier quoting, an attacker can inject aTO PROGRAM 'command'clause into the Sheet name, causing PostgreSQL to pipe query results into an operating system shell for execution.Although the Excel specification limits Sheet names to a maximum of 31 characters, an attacker can bypass this limitation through a two-stage injection technique to achieve arbitrary-length command execution:
s. Its data rows contain complete shell script commands. The backend, following the logic at line 351, constructs the table name ass_<10-char-random-hash>(e.g.,s_0425a81fc8) and stores the Excel data into that table. The full table name is returned in the HTTP response.s_0425a81fc8"TO PROGRAM'sh'--(only 29 characters). After backend concatenation, the resulting SQL is:s_0425a81fc8table data line-by-line into theshprocess for execution, achieving arbitrary-length command execution.- Impact
This vulnerability allows any authenticated user (including the lowest-privileged regular user) to directly take over the SQLBot backend server. Confirmed material impacts include:
postgres(uid=999) user privileges, including reverse shells./etc/passwd,/etc/shadow, application configuration files, and other sensitive data from the server.postgresuser, the attacker gains full control over the entire PostgreSQL database.POC
- Prerequisites
admin/SQLBot@123456, resulting in a very large attack surface.- Steps to Reproduce
Launch the attack against the target using the PoC script:
Verify command execution results:
Affected versions
<= v1.6.0
Patches
The vulnerability has been fixed in v1.7.0.
Workarounds
It is recommended to upgrade the version to v1.7.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/sqlbot
Email us at wei@fit2cloud.com