Skip to content

Latest commit

 

History

History
53 lines (50 loc) · 1.42 KB

README.md

File metadata and controls

53 lines (50 loc) · 1.42 KB

H2 enumeration and exploitation

Initial enumeration

nmap -vv -p 8082,9092 -sT --script=+h2* <ip>

Connecting to an H2 database

  • Connect to a database using h2.jar:
java -cp h2*.jar org.h2.tools.Shell

Enumerating a database

  • Get version:
SELECT H2VERSION();
  • Get current database:
SELECT database();
  • Get current user:
SELECT current_user();
  • Get current user's password hash:
SELECT password FROM information_schema.users WHERE user_name=current_user(); -- Some databases still use password column
  • List all users:
SELECT user FROM information_schema.users ORDER BY 1;
  • Get default user's password hash:
SELECT password FROM information_schema.users WHERE user_name='sa'; -- Some databases still use password column
  • List tables:
SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1;
  • List table columns:
SELECT column_name FROM information_schema.columns WHERE table_name='<table_name>' ORDER BY 1;
  • Search for %user% like tables:
SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE concat(char(37),char(117),char(115),char(101),char(114),char(37)) ORDER BY 1 LIMIT 1 OFFSET 0;