Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
This vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.
This PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.
The vendor's disclosure and fix for this vulnerability can be found here.
The XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.
As seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:
public <T extends Source> T getSource(Class<T> clazz) throws SQLException {
try {
this.checkClosed();
this.checkWorkingWithResult();
InputSource reader;
if (clazz != null && !clazz.equals(SAXSource.class)) {
SQLException sqlEx;
if (clazz.equals(DOMSource.class)) {
try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setNamespaceAware(true);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
if (this.fromResultSet) {
inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));
} else {
inputSource = new InputSource(new StringReader(this.stringRep));
}
return new DOMSource(builder.parse(inputSource));
There are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:
- Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)
- Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)
PoC XXE using sqlxml.setString()
PoC XXE using resultSet.getSQLXML()
Download vulnerable JAR
Other XXE Payloads