{"id":25077734,"url":"https://github.com/drunkenshells/cve-2021-2471","last_synced_at":"2025-04-15T03:06:03.960Z","repository":{"id":266301776,"uuid":"420195489","full_name":"DrunkenShells/CVE-2021-2471","owner":"DrunkenShells","description":"PoC for CVE-2021-2471 - XXE in MySQL Connector/J","archived":false,"fork":false,"pushed_at":"2021-10-22T18:21:39.000Z","size":4,"stargazers_count":3,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-15T03:05:59.182Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DrunkenShells.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-22T17:59:16.000Z","updated_at":"2024-08-12T20:17:28.000Z","dependencies_parsed_at":"2024-12-03T16:16:19.704Z","dependency_job_id":"de8c4663-6909-4362-97e8-77f89d10a555","html_url":"https://github.com/DrunkenShells/CVE-2021-2471","commit_stats":null,"previous_names":["drunkenshells/cve-2021-2471"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DrunkenShells%2FCVE-2021-2471","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DrunkenShells%2FCVE-2021-2471/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DrunkenShells%2FCVE-2021-2471/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DrunkenShells%2FCVE-2021-2471/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DrunkenShells","download_url":"https://codeload.github.com/DrunkenShells/CVE-2021-2471/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248997086,"owners_count":21195799,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-07T02:35:57.087Z","updated_at":"2025-04-15T03:06:03.943Z","avatar_url":"https://github.com/DrunkenShells.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2021-2471 - XXE in MySQL Connector/J\n\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.\n\u003c/br\u003e\nSuccessful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.\n\n### Disclaimer:\n\nThis vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.\n\u003c/br\u003e\nThis PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.\n\n### Vendor Disclosure:\n\nThe vendor's disclosure and fix for this vulnerability can be found [here](https://www.oracle.com/security-alerts/cpuoct2021.html).\n\n### Proof Of Concept:\n\nThe XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.\n\u003c/br\u003e\n\nAs seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:\n\n```\npublic \u003cT extends Source\u003e T getSource(Class\u003cT\u003e clazz) throws SQLException {\n        try {\n            this.checkClosed();\n            this.checkWorkingWithResult();\n            InputSource reader;\n            if (clazz != null \u0026\u0026 !clazz.equals(SAXSource.class)) {\n                SQLException sqlEx;\n                if (clazz.equals(DOMSource.class)) {\n                    try {\n                        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();\n                        builderFactory.setNamespaceAware(true);\n                        DocumentBuilder builder = builderFactory.newDocumentBuilder();\n                        if (this.fromResultSet) {\n                            inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));\n                        } else {\n                            inputSource = new InputSource(new StringReader(this.stringRep));\n                        }\n\n                        return new DOMSource(builder.parse(inputSource));\n```\n\nThere are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:\n- Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)\n- Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)\n\n### Additional Resources:\n\n[PoC XXE using sqlxml.setString()](Test.java)\n\u003c/br\u003e\n[PoC XXE using resultSet.getSQLXML()](https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe/blob/main/src/main/java/me/threedr3am/bug/jdbc/sqlxml/xxe/oracle/OracleJDBC.java)\n\u003c/br\u003e\n[Download vulnerable JAR](https://downloads.mysql.com/archives/get/p/3/file/mysql-connector-java-8.0.26.zip)\n\u003c/br\u003e\n[Other XXE Payloads](https://github.com/payloadbox/xxe-injection-payload-list)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrunkenshells%2Fcve-2021-2471","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrunkenshells%2Fcve-2021-2471","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrunkenshells%2Fcve-2021-2471/lists"}