PoC for CVE-2021-2471 - XXE in MySQL Connector/J# CVE-2021-2471 - XXE in MySQL Connector/J
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.
</br>
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
### Disclaimer:
This vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.
</br>
This PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://www.oracle.com/security-alerts/cpuoct2021.html).
### Proof Of Concept:
The XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.
</br>
As seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:
```
public <T extends Source> T getSource(Class<T> clazz) throws SQLException {
try {
this.checkClosed();
this.checkWorkingWithResult();
InputSource reader;
if (clazz != null && !clazz.equals(SAXSource.class)) {
SQLException sqlEx;
if (clazz.equals(DOMSource.class)) {
try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setNamespaceAware(true);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
if (this.fromResultSet) {
inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));
} else {
inputSource = new InputSource(new StringReader(this.stringRep));
}
return new DOMSource(builder.parse(inputSource));
```
There are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:
- Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)
- Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)
### Additional Resources:
[PoC XXE using sqlxml.setString()](Test.java)
</br>
[PoC XXE using resultSet.getSQLXML()](https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe/blob/main/src/main/java/me/threedr3am/bug/jdbc/sqlxml/xxe/oracle/OracleJDBC.java)
</br>
[Download vulnerable JAR](https://downloads.mysql.com/archives/get/p/3/file/mysql-connector-java-8.0.26.zip)
</br>
[Other XXE Payloads](https://github.com/payloadbox/xxe-injection-payload-list)
[4.0K] /data/pocs/588ddb32a5213baa7141cb7641b585c8f3ba61e5
├── [3.2K] README.md
└── [ 993] Test.java
0 directories, 2 files