Arbitrary Command Execution via Database Driver Upload

**Description**

DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.

DataGear 5.2.0 and below allows uploading arbitrary database drivers, which can lead to arbitrary command execution.

**Reproduction**
Step 1:
 Upload the modified database driver file，mysql-connector-java-8.0.28.jar.
The connect method in com.mysql.cj.jdbc.NonRegisteringDriver has been modified to accept the username as a command for execution.
![image](https://github.com/user-attachments/assets/7a8c4859-0e9e-4c22-8b26-026918215416)

![image](https://github.com/user-attachments/assets/355be4c9-ef99-4119-8ff9-5d7316890ca9)

Step 2: 
Create a new data source, select the recently uploaded driver as the data driver, enter "calc" as the username, and click test. This will open the calculator.
![image](https://github.com/user-attachments/assets/903549bb-ba9d-4d5f-a989-df4bd1dea00b)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Arbitrary Command Execution via Database Driver Upload #33

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Arbitrary Command Execution via Database Driver Upload #33

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions