New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Beekeeper Remote Code Execution via XSS #1393
Comments
|
Thanks. Looking into this. Will get fixed asap |
rathboma
added a commit
that referenced
this issue
Nov 21, 2022
- Replaced Noty with a custom fork of noty that uses text as innerText, not innerHTML - Replaced VueNoty wrapper with custom implementation
|
Fixed in 3.7.10 |
rathboma
added a commit
that referenced
this issue
Nov 21, 2022
Fix #1393 3.7.10 hotfix with xss fix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Author: bob11.devranger@gmail.com
Date: 2022-10-07
OS: Windows, Linux, MacOS
Beekeeper Studio Version: 3.6.6
DB Type&Version: MySQL 5.7 and 8.0 Also
Summary
It has been possible to trigger remote code execution via Beekeeper’s Modal Container.
Description
Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:
[1]


[2]


The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.
In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.
This is my sample fake SQL server : poc.py
You can see this poc video that fake SQL server triggers RCE via Beekeeper.
PoC_Video
In this video, I used this XSS script
<input type="text" onfocus="require('child_process').execSync('calc.exe')" autofocus />for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.
What’s More?
Temporary Fake SQL Server
146.56.129.188:3306The text was updated successfully, but these errors were encountered: