SonarQube

SonarQube is a Java-based code quality platform. Exposed instances often leak version data through APIs, and authenticated admin access can lead to command execution through plugin upload and restart workflows.

Discovery

curl -I http://TARGET:9000/
curl http://TARGET:9000/api/system/status
curl http://TARGET:9000/api/server/version
curl http://TARGET:9000/api/webservices/list | jq .

Interesting unauthenticated checks:

curl http://TARGET:9000/api/components/search?qualifiers=TRK
curl http://TARGET:9000/api/projects/search

Default credentials are commonly:

admin:admin

Credential Hunting

Check SonarQube configuration and backups for database credentials:

type C:\Sonarqube\sonarqube-VERSION\conf\sonar.properties
type C:\Sonarqube\sonarqube-VERSION\conf\sonar.properties.bak

Interesting keys:

sonar.jdbc.username=DB_USER
sonar.jdbc.password=DB_PASSWORD
sonar.jdbc.url=jdbc:h2:...
sonar.jdbc.url=jdbc:postgresql://...

If you find admin database credentials, try them against the web login as well.

H2 Database Extraction

Older SonarQube installs may use H2 locally:

Files to grab:

Use H2's Script tool to dump the database:

Then search the dump:

Authenticated Plugin Upload RCE

Admin users can upload plugins. A malicious plugin can execute code when SonarQube loads it, often after a service restart.

Minimal plugin class pattern:

Build and upload:

If the SonarQube service runs as LocalSystem, the plugin executes as NT AUTHORITY\SYSTEM.

Windows Service Checks

Watch for:

Writable service binaries or service wrapper paths can be abused as standard Windows service privilege escalation. See Windows Privilege Escalation.