漏洞描述
Actuator是Spring Boot提供的服务监控和管理中间件,当 /env、/refresh 端点允许POST方式进行访问,且目标使用 com.h2database.h2 时存在远程命令执行漏洞。
SpringBoot h2 database 远程命令执行
PoC代码
暂无相关漏洞推荐
- springboot-actuator-unauth: Springboot Actuator Unauth
- pbootcms-database-file-download: Pbootcms Database File Download
- POC CVE-2025-46822: Java-springboot-codebase 1.1 - Arbitrary File Read
- POC azure-sql-database-rename-unalerted: Azure SQL Database Rename Alert Not Configured
- POC azure-database-tier-cmk-absent: Customer-Managed Key Not Configured for Azure Database Tier
- POC h2-database-web-console-unauthorized-access: H2 Database Web Console Unauthorized Access
- POC gcloud-sql-database-public-ip-configured: Cloud SQL Database Instances with Public IPs
- POC gcloud-sql-skip-show-database-disabled: Skip Show Database Flag Not Enabled for MySQL Instances
- POC springboot-h2-db-rce: Spring Boot H2 Database RCE
- POC zzsk-wms-getdatabase-disclosure: 郑州时空-TMS运输管理系统 GetDataBase 信息泄露
- POC grails-database-admin-console: Grails Admin Console Panel - Detect
- POC odoo-database-manager: Odoo - Database Manager Discovery
- POC froxlor-database-backup: Froxlor Server Management Backup File - Detect