SQLBot Remote Code Execution Vulnerability via SQL Injection in Excel Upload Endpoint

A critical SQL injection vulnerability has been identified in SQLBot versions prior to 1.7.0, specifically within the '/api/v1/datasource/uploadExcel' endpoint. This vulnerability allows remote code execution on the backend server, enabling any authenticated user, regardless of privileges, to fully compromise the server. The issue arises because Excel sheet names are directly concatenated into PostgreSQL table names without proper sanitization, and these table names are then embedded into COPY SQL statements using f-strings, rather than parameterized queries. Exploitation involves a two-stage technique: first, uploading a regular file with shell commands in the data rows, and then uploading a tampered file that injects a 'TO PROGRAM' clause into the SQL, bypassing the default sheet name limit.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the server with PostgreSQL user privileges, allowing access to sensitive files and complete control over the PostgreSQL database.

Reproduction

To reproduce this vulnerability, upload an Excel file with a normal sheet name that includes shell commands in the data rows. After the file is processed, upload a second Excel file with a tampered sheet name that injects a 'TO PROGRAM' clause into the SQL. This will trigger the execution of the injected commands on the server.

Remediation

Users are advised to upgrade SQLBot to version 1.7.0, where this vulnerability has been fixed.