Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-42392 PoC — H2database代码问题漏洞

Source
https://github.com/Be-Innova/CVE-2021-42392-exploit-lab
Associated Vulnerability
Title:H2database代码问题漏洞 (CVE-2021-42392)
Description:The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Readme
# ⚠️ H2 Database RCE Exploit PoC (CVE-2021-42392)

This repository provides a minimal and controlled environment to test the **H2 Database Remote Code Execution vulnerability (CVE-2021-42392)** using the `CREATE ALIAS` feature. Unlike many demonstrations, this exploit targets the H2 TCP service directly (typically on port 9092), without relying on the H2 Web Console.

> 🛑 **For educational and testing purposes only. Do not use on systems you don't own or have explicit permission to test.**

---

## Description

CVE-2021-42392 is a critical vulnerability in H2 Database versions prior to 2.0.206 that allows remote code execution via `CREATE ALIAS` if the database is exposed over TCP or via the Web Console.

This project includes:

- A vulnerable H2 database server running version `2.0.202`
- A Python exploit script using `jaydebeapi` and `JPype`
- Docker containers to simplify setup



## Requirements

With Docker:
- [Docker](https://www.docker.com/)
- [Docker Compose](https://docs.docker.com/compose/)


If running the exploit outside Docker:
- Python 3 (with jpype and jaydebeapi modules)
- Java
- [h2-jar](https://repo1.maven.org/maven2/com/h2database/h2/2.0.202/h2-2.0.202.jar)


## How to Run

### 1. Clone the repository

```bash
git clone https://github.com/Be-Innova/CVE-2021-42392-exploit-lab
cd h2-cve-2021-42392-poc
```

### 2. Build and start containers
```bash
docker compose build
docker compose up -d
```

### 3. Launch the exploit
```bash
docker compose exec client bash

python3 h2_exploit.py --url jdbc:h2:tcp://h2-vulnerable\:9092/~/test --cmd "touch /tmp/pwned" --jar /jars/h2.jar
```

---

## Exploit Script Usage

```bash
python3 h2_exploit.py --url <jdbc-url> --cmd "<command>" --jar "path-to-jar"
```

Arguments:

- `--url`: JDBC URL of the vulnerable H2 instance (e.g. jdbc:h2:tcp://192.168.1.100\\:9092/~/test)

- `--cmd`: Command to execute on the vulnerable server

- `--jar`: Optional path to H2 driver JAR (default: /jars/h2.jar)

### 🤐​ Requirements to exploit the RCE in other environments

- `Port 9092` open of the vulnerable H2 Database
- Credentials of the database
- `javac` compiler installed on the server running the vulnerable database

---

### Disclaimer

This code is provided as-is for educational and ethical penetration testing in isolated environments. Do not use it on unauthorized systems. The author takes no responsibility for misuse.

---


### References

https://nvd.nist.gov/vuln/detail/CVE-2021-42392

https://www.h2database.com/html/main.html
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →