Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38646 PoC — Metabase 安全漏洞

Source
https://github.com/alexandre-pecorilla/CVE-2023-38646
Associated Vulnerability
Title:Metabase 安全漏洞 (CVE-2023-38646)
Description:Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase 0.46.6.1之前版本和Metabase Enterprise 1.46.6.1之前版本存在安全漏洞,该漏洞源于允许攻击者以运行该服务的权限在服务器上执行任意命令。
Description
CVE-2023-38646 Pre-Auth RCE in Metabase
Readme
# CVE-2023-38646

**Fork of [kh4sh3i's](https://github.com/kh4sh3i/CVE-2023-38646/tree/main) removing the need for Burp Collector.**

[CVE-2023-38646](https://nvd.nist.gov/vuln/detail/CVE-2023-38646) (Pre-Auth RCE in Metabase):
> Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation.

## Usage
`python3 CVE-2023-38646.py -u http://target.com -t 349fa13d-fd94-4d9b-b54f-b4ebf2df682f -i 10.10.15.101 -p 5555`

For more info read this [post](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/).

## Credits
[@fay4breakme](https://app.hackthebox.com/profile/1642382)

[@kh4sh3i](https://github.com/kh4sh3i)

[@alex4breakme](https://app.hackthebox.com/profile/1546865)
File Snapshot

 [4.0K]  /data/pocs/f824c026e0a0692c8eb26afb7850cbcb058601fb
├── [1.5K]  CVE-2023-38646.py
├── [ 839]  README.md
└── [  25]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.