New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
H2 Database Code Execution #10407
H2 Database Code Execution #10407
Conversation
|
||
## Verification Steps | ||
|
||
Example steps in this format: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this line
## Vulnerable Application | ||
|
||
This module exploits an arbitrary code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality. The H2 Database is used in Datomic before 0.9.5697 and other products and a copy of the vulnerable application can be downloaded from [https://www.exploit-db.com](https://www.exploit-db.com/apps/af9c1b47ddd7f3c58aaf189e25f3b714-h2-2017-06-10.zip). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add a link to the download: http://www.h2database.com/h2-2018-03-18.zip
|
||
## Scenarios | ||
|
||
Example usage against a Linux x64 bit target running H2 Database 1.4.197. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## H2 Database 1.4.197 on Linux x64
super(update_info(info, | ||
'Name' => 'H2 Arbitrary Code Execution using CREATE ALIAS', | ||
'Description' => %q{ | ||
'H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it only this version, or is it a "<= 1.4.197"?
@@ -0,0 +1,35 @@ | |||
## Vulnerable Application | |||
|
|||
This module exploits an arbitrary code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality. The H2 Database is used in Datomic before 0.9.5697 and other products and a copy of the vulnerable application can be downloaded from [https://www.exploit-db.com](https://www.exploit-db.com/apps/af9c1b47ddd7f3c58aaf189e25f3b714-h2-2017-06-10.zip). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see other comment about version equals or <=
|
||
uri = normalize_uri(target_uri.path, "login.do?jsessionid=#{resp}") | ||
|
||
res = send_request_cgi({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you never check to ensure the login was successful. res
isn't used at all. I'd prefer a quick check to ensure the login was a success on the res
variable.
resp=res.body.scan(/jsessionid=(\w+)/).flatten.first | ||
|
||
uri = normalize_uri(target_uri.path, "login.do?jsessionid=#{resp}") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe a vprint_status('Attempting Login')
'password' => datastore['PASSWORD'] | ||
} | ||
}) | ||
res = send_request_cgi({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a vprint_status('Triggering RCE')
'password' => datastore['PASSWORD'] | ||
} | ||
}) | ||
res = send_request_cgi({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
res
is never used, in this case since you prob wont use it for anything, id just remove res =
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'H2 Arbitrary Code Execution using CREATE ALIAS', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see h2
being a product naming collision in the future, maybe H2 Database CREATE ALIAS RCE
is more descriptive but shorter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. The original exploit name was similar; H2 Database 'Alias' Arbitrary Code Execution
.
Closed at request of @DanielRTeixeira in preparation for new PR. |
This PR adds a module to exploit a code execution vulnerability in H2 Database version 1.4.197 using the ALIAS functionality.
Tested on: Linux x64 bit target running H2 Database 1.4.197.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/multi/http/h2_alias
Example