SQLBot Server-Side Request Forgery Vulnerability Allowing Arbitrary File Read

A Server-Side Request Forgery (SSRF) vulnerability has been identified in SQLBot versions prior to 1.7.0. This vulnerability allows attackers to retrieve arbitrary files from the server's filesystem. The issue arises in the '/api/v1/datasource/check' endpoint, where a forged MySQL data source can be created with a malicious 'extraJdbc' parameter. When the SQLBot backend verifies the data source connectivity, an attacker-controlled MySQL server can execute a 'LOAD DATA LOCAL INFILE' command, forcing the server to read sensitive files such as '/etc/passwd' or application configuration files and send the contents back to the attacker.

Impact

Exploitation of this vulnerability allows unauthorized attackers to read sensitive files from the SQLBot server, including system account information, process environment variables containing database passwords and API keys, and project configuration files. This could lead to a complete database compromise and unauthorized access to the host system.

Reproduction

To reproduce this vulnerability, log into SQLBot and navigate to the '数据源' (Data Source) section. Create a new MySQL data source and enter the IP address of a host running a rogue MySQL server that has been set up to intercept files. In the '额外的数据库连接配置' (Extra Database Connection Configuration) field, include 'local_infile=1' to enable the exploitation. Once the data source is saved, SQLBot will attempt to verify the connection, triggering the file read vulnerability.

Remediation

Users are advised to upgrade SQLBot to version 1.7.0, where this vulnerability has been fixed.