CVE-2023-30625

HIGH EXPLOITED NUCLEI

Rudder Server SQLI Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2023-30625 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Ege Balcı <[email protected]>, including a Metasploit module exploits/multi/http/rudder_server_sqli_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server, allowing arbitrary SQL command execution and potential RCE due to PostgreSQL superuser permissions. The exploit crafts a malicious JSON payload to trigger command execution via the `copy ... to program` SQL command.

Description

rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Ege Balcı <[email protected]> · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rudder_server_sqli_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability (CVE-2023-30625) in RudderStack's rudder-server, allowing arbitrary SQL command execution and potential RCE due to PostgreSQL superuser permissions. The exploit crafts a malicious JSON payload to trigger command execution via the `copy ... to program` SQL command.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: RudderStack rudder-server < 1.3.0-rc.1

No auth needed

Prerequisites: Network access to the target server · PostgreSQL superuser permissions for the 'rudder' role

MITRE ATT&CK