PoC for CVE-2024-21513# CVE-2024-21513
PoC for CVE-2024-21513
Original exploit documented by Snyk Security Research
## Exploit
CVE-2024-21513 is a vulnerability in langchain-experimental where unvalidated SQL query results were passed to Python's eval(), enabling remote code execution through SQL-based input injection.
## PoC Structure
This PoC is a very basic Flask App with inline HTML where users can enter coordinates into a SQLite DB.
If a user enters a malicious payload in the y value, a vulnerable LangChain-Experimental feature will fetch the y value based on the x value and pass the result to eval() which causes it to be executed.
This PoC has a hard-coded LLM that returns the SQL query for finding where x = 10.
### Example:
1) Add multiple regular coordinates to the DB
2) Add the point (10, print("You've been pwned!)) to the DB through the same form
3) Check to see if the points are all there by checking the /debug route
4) Ask for data where x = 10 in the /query function (what you ask doesn't matter, the SQL result is always the same)
## File Structure
```
.
├── Dockerfile
├── README.md
├── app
│ ├── db.py
│ ├── exploit.db
│ ├── llm.py
│ ├── main.py
│ └── requirements.txt
└── docker-compose.yml
```
## How to Run This
This exploit is containerized so that it doesn't impact anything on your actual dev environment.
I assume that you have Docker and/or Docker Compose already installed (ensure that WSL2 config is on in Docker if you are using WSL)
### Steps to Run:
1) `git clone https://github.com/nskath/CVE-2024-21513`
2) `cd CVE-2024-21513`
3) `docker-compose up --build`
4) Visit `localhost:5000 (127.0.0.1:5000)`
## Video of Exploit:
https://github.com/user-attachments/assets/7ad27115-411a-467f-b649-2b3508b6f5df
[4.0K] /data/pocs/066acd2742b8adf50e6714c01b43099b810f6fd8
├── [4.0K] app
│ ├── [ 854] db.py
│ ├── [8.0K] exploit.db
│ ├── [1.9K] llm.py
│ ├── [4.0K] main.py
│ └── [ 56] requirements.txt
├── [ 176] docker-compose.yml
├── [ 535] Dockerfile
└── [1.8K] README.md
1 directory, 8 files