AI PRP: prestodb exposed UI and APIs
Opened this issue · 0 comments
lanced00m commented
According to the prestodb introduction: Presto is a distributed SQL query engine designed to query large data sets distributed over one or more heterogeneous data sources.
from my tests on an exposed prestodb UI, attackers can execute arbitrary SQL queries in an exposed prestodb UI. I couldn't find a way to execute an os-level command, but performing a generic SQL query is easy.
we can run an instance quickly with docker: https://hub.docker.com/r/prestodb/presto
documentation: http://prestodb.io/docs/0.286/overview.html