JDBC Connection Injection: Arbitrary File Read and RCE via Driver Injection

Key Information Summary Vulnerability Type JDBC Connection Injection Description In the endpoint of , the application accepts user-controlled objects. The user-controlled and parameters are directly used by to establish a database connection. Due to the lack of validation on JDBC URL and driver class name, attackers can exploit this vulnerability to: 1. Arbitrary File Read: By specifying the MySQL driver and connecting to an attacker-controlled "malicious MySQL Server", attackers can leverage the feature in the MySQL protocol to request the client to read and upload arbitrary local files, such as or . 2. Remote Code Execution (RCE): If H2 database, SQLite, or MySQL drivers vulnerable to deserialization are present in the classpath, attackers can craft specific JDBC URLs (e.g., H2's command) to execute system commands. Impact Confidentiality Loss: Attackers can read sensitive configuration files, source code, system files, and credential files, leading to exposure of core secrets. Integrity Loss: In the presence of H2, SQLite, or specific deserialization gadget chains, the attack can escalate to RCE, enabling file system modification, backdoor implantation, or tampering with database records. Availability Loss: Attackers can exhaust service resources via RCE or repeated malicious connections, leading to service shutdown or deletion of critical data. Proof of Concept Requires running a malicious Python script to simulate a MySQL server, instructing the victim system to read the file . Sample HTTP POST request and JSON payload: Successfully verified arbitrary file read vulnerability. Remediation Measures Prohibit User-Controlled Driver Classes: Do not accept user-supplied ; hardcode allowed driver class names in backend logic. Remove Full URL Control: Instead of using the raw string, accept , , and separately, and construct the JDBC URL on the backend. Implement Parameter Whitelisting: Strictly validate or remove dangerous parameters (e.g., , , ) when building the URL. Principle of Least Privilege: Ensure the system user running the Java application has no filesystem access permissions to sensitive directories.

Goal Reached Thanks to every supporter — we hit 100%!

JDBC Connection Injection: Arbitrary File Read and RCE via Driver Injection