H2 Database Code Execution #10407
H2 Database Code Execution #10407
Conversation
|
|
||
| ## Verification Steps | ||
|
|
||
| Example steps in this format: |
| ## Vulnerable Application | ||
|
|
||
| This module exploits an arbitrary code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality. The H2 Database is used in Datomic before 0.9.5697 and other products and a copy of the vulnerable application can be downloaded from [https://www.exploit-db.com](https://www.exploit-db.com/apps/af9c1b47ddd7f3c58aaf189e25f3b714-h2-2017-06-10.zip). | ||
|
|
There was a problem hiding this comment.
I would add a link to the download: http://www.h2database.com/h2-2018-03-18.zip
|
|
||
| ## Scenarios | ||
|
|
||
| Example usage against a Linux x64 bit target running H2 Database 1.4.197. |
There was a problem hiding this comment.
## H2 Database 1.4.197 on Linux x64
| super(update_info(info, | ||
| 'Name' => 'H2 Arbitrary Code Execution using CREATE ALIAS', | ||
| 'Description' => %q{ | ||
| 'H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows |
There was a problem hiding this comment.
is it only this version, or is it a "<= 1.4.197"?
| @@ -0,0 +1,35 @@ | |||
| ## Vulnerable Application | |||
|
|
|||
| This module exploits an arbitrary code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality. The H2 Database is used in Datomic before 0.9.5697 and other products and a copy of the vulnerable application can be downloaded from [https://www.exploit-db.com](https://www.exploit-db.com/apps/af9c1b47ddd7f3c58aaf189e25f3b714-h2-2017-06-10.zip). | |||
There was a problem hiding this comment.
see other comment about version equals or <=
|
|
||
| uri = normalize_uri(target_uri.path, "login.do?jsessionid=#{resp}") | ||
|
|
||
| res = send_request_cgi({ |
There was a problem hiding this comment.
you never check to ensure the login was successful. res isn't used at all. I'd prefer a quick check to ensure the login was a success on the res variable.
| resp=res.body.scan(/jsessionid=(\w+)/).flatten.first | ||
|
|
||
| uri = normalize_uri(target_uri.path, "login.do?jsessionid=#{resp}") | ||
|
|
There was a problem hiding this comment.
maybe a vprint_status('Attempting Login')
| 'password' => datastore['PASSWORD'] | ||
| } | ||
| }) | ||
| res = send_request_cgi({ |
There was a problem hiding this comment.
Maybe a vprint_status('Triggering RCE')
| 'password' => datastore['PASSWORD'] | ||
| } | ||
| }) | ||
| res = send_request_cgi({ |
There was a problem hiding this comment.
res is never used, in this case since you prob wont use it for anything, id just remove res =
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'H2 Arbitrary Code Execution using CREATE ALIAS', |
There was a problem hiding this comment.
I can see h2 being a product naming collision in the future, maybe H2 Database CREATE ALIAS RCE is more descriptive but shorter?
There was a problem hiding this comment.
Agreed. The original exploit name was similar; H2 Database 'Alias' Arbitrary Code Execution.
|
Closed at request of @DanielRTeixeira in preparation for new PR. |
This PR adds a module to exploit a code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality.
Tested on: Linux x64 bit target running H2 Database 1.4.197.
Verification
List the steps needed to make sure this thing works
msfconsoleuse exploit/multi/http/h2_aliasExample