Unauthenticated Command Injection in Metabase Setup Validation

Repository contains two Python scripts targeting Metabase pre-auth RCE CVE-2023-38646 plus minimal project files (README, requirements.txt, license). Structure & purpose: - `CVE-2023-38646-POC.py`: Scanner/POC that attempts to retrieve `setup-token` from Metabase’s unauthenticated endpoint `/api/session/properties`. It accepts either a single `--ip` or a `--list` file of IPs, and tries both `https://` and `http://` schemes. This is primarily for identifying potentially exploitable instances (token present and non-null). - `CVE-2023-38646-Reverse-Shell.py`: Exploit that takes `--rhost` (URL with optional port), `--lhost`, and `--lport` (default 4444). It normalizes the target URL, fetches the `setup-token` from `/api/session/properties`, then POSTs to `/api/setup/validate` with a crafted JSON body. The malicious portion is an H2 JDBC connection string in `details.details.db` that uses `CREATE TRIGGER ... $$//javascript` to execute `java.lang.Runtime.getRuntime().exec(...)`, decoding and running a base64-encoded bash reverse shell. Exploit capabilities: - Unauthenticated interaction with Metabase API endpoints. - Information retrieval: extracts `setup-token` (and prints version tag in the reverse-shell script). - Remote Code Execution: leverages Metabase setup validation + H2 connection string injection to execute OS commands. - Post-exploitation: establishes a reverse shell to an attacker-controlled listener. Notable implementation details: - TLS verification is disabled (`verify=False`) and urllib3 warnings are suppressed. - Reverse shell payload is base64-encoded and executed via `bash -c`. - The POC script is closer to detection/triage, while the reverse-shell script is an operational exploit path.

This repository is an exploit for CVE-2023-38646, targeting Metabase version 0.46.6. The main exploit logic is in 'exploit.py', which automates the process of creating a new admin account (if one does not exist), logging in, and adding a malicious H2 database connection. The connection string is crafted to trigger remote code execution (RCE) by fetching and executing a SQL script from a remote server, and then running a reverse shell payload. The 'start.sh' script automates the setup by downloading and running the vulnerable Metabase version, then executing the exploit. The repository also includes a minimal 'poc.sql' file used to trigger the vulnerability. The exploit requires the target Metabase instance to be accessible at http://localhost:3000 and able to reach the attacker's server to fetch the malicious SQL script. The attack vector is network-based, exploiting the Metabase API and H2 database integration. The endpoints involved include the local Metabase instance and a remote server hosting the payload. The exploit is operational, providing a working RCE chain with a reverse shell payload.

This repository contains a Python proof-of-concept exploit for CVE-2023-38646, a remote code execution vulnerability in Metabase. The main file, 'metabase_exploit.py', automates the exploitation process by first retrieving a setup token from the target Metabase instance via the '/api/session/properties' endpoint. It then crafts a payload that abuses the H2 database trigger functionality to execute a base64-encoded bash reverse shell command, which is sent to the '/api/setup/validate' endpoint. The exploit requires the attacker to specify their own IP and port, where a listener (such as netcat) should be running to catch the reverse shell. The repository is structured with a single exploit script, a README describing usage and purpose, and a license file. The exploit is a functional proof-of-concept and does not include detection or post-exploitation features.

This repository provides two Python scripts targeting CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase. The vulnerability arises from improper validation of JDBC connection strings in the /api/setup/validate endpoint, allowing unauthenticated attackers to execute arbitrary commands on the server. - CVE-2023-38646-POC.py: This script checks if a Metabase instance is vulnerable by attempting to retrieve the setup token from /api/session/properties over both HTTP and HTTPS. It can process a single IP or a list of IPs. - CVE-2023-38646-Reverse-Shell.py: This script exploits the vulnerability to achieve remote code execution. It first retrieves the setup token, then sends a crafted request to /api/setup/validate with a malicious JDBC connection string that triggers a reverse shell (bash) to the attacker's listener. The repository is structured with clear separation between proof-of-concept (token retrieval) and full exploitation (reverse shell). The only dependency is the 'requests' Python library. The README provides a technical overview of the vulnerability and exploitation steps. No hardcoded endpoints or IPs are present; the scripts require user-supplied target and listener information. The exploit is operational, providing a working reverse shell payload for attackers with network access to vulnerable Metabase instances.

This repository contains a Python-based exploit for CVE-2023-38646, a critical vulnerability in Metabase servers that allows unauthenticated remote code execution. The main file, exploit.py, is a standalone script that can target a single Metabase server or scan a list of servers for the vulnerability. It works by first retrieving a setup token from the /api/session/properties endpoint, then sending a specially crafted payload to the /api/setup/validate endpoint. The payload abuses the H2 database connection string to inject and execute arbitrary bash commands on the server. If a server is found to be vulnerable, the script can provide an interactive shell for further command execution. The exploit is operational and provides real RCE capabilities, not just detection. The repository is structured simply, with a README.md for instructions, requirements.txt for dependencies, and exploit.py as the main exploit script. No fake or destructive behavior is present; the exploit is focused and functional.

This repository contains a proof-of-concept exploit for CVE-2023-38646, a pre-authentication remote code execution (RCE) vulnerability in Metabase (both open source and Enterprise editions) prior to specific patched versions. The exploit is implemented in a single Python script (CVE-2023-38646.py), which takes as input the target Metabase URL, a setup-token (retrieved from /api/session/properties), and a Burp Collaborator URL for OOB verification. The script crafts a malicious payload that abuses the H2 database setup process to create a Java alias for executing shell commands, then triggers a curl request to the supplied collaborator URL. The README provides clear usage instructions, affected versions, and references. The LICENSE is a standard CC0 license. The exploit demonstrates command execution but does not provide a post-exploitation shell or advanced payload customization, making it a POC-level exploit.

This repository provides exploit code for CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase. The repository contains two main Python scripts: 1. CVE-2023-38646-POC.py: A proof-of-concept script that checks if a given Metabase instance is leaking its setup-token by querying the /api/session/properties endpoint over HTTP and HTTPS. It can process a single IP or a list of IPs. 2. CVE-2023-38646-Reverse-Shell.py: An exploit script that, given a vulnerable Metabase instance, retrieves the setup-token and then abuses the /api/setup/validate endpoint to inject a malicious H2 database connection string. This string creates a trigger that executes a base64-encoded bash reverse shell payload, connecting back to the attacker's listener (specified by lhost and lport). The repository also includes a README.md with usage instructions and a requirements.txt listing the 'requests' library as a dependency. The exploit targets Metabase servers accessible over the network and leverages HTTP(S) endpoints to achieve unauthenticated remote code execution, resulting in a reverse shell for the attacker.

This repository provides a proof-of-concept (PoC) exploit for CVE-2023-38646, a pre-authentication remote code execution (RCE) vulnerability in Metabase (open source and enterprise versions prior to 0.46.6.1 and 1.46.6.1, respectively). The exploit consists of a single Python script (CVE-2023-38646.py) that automates the exploitation process. The script requires three arguments: the target URL, a setup token (retrieved from the /api/session/properties endpoint), and a collaborator URL (to verify out-of-band interactions). The exploit works by sending a crafted POST request to the /api/setup/validate endpoint, injecting a malicious H2 database connection string that defines a Java alias to execute arbitrary shell commands. The PoC payload causes the target server to make an HTTP request to the attacker's collaborator URL, confirming code execution. The repository also includes a README.md with detailed usage instructions and references, and a LICENSE file. The exploit demonstrates the vulnerability but does not provide a weaponized or fully automated attack chain.

This repository contains a Python proof-of-concept exploit for CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase (open-source edition <0.46.6.1, enterprise edition <1.46.6.1). The main exploit logic is implemented in 'main.py', which takes a target URL, a setup token (retrieved from the '/api/session/properties' endpoint), and a command to execute. The script encodes the command in base64 and crafts a malicious payload that abuses the H2 database engine via the '/api/setup/validate' endpoint, resulting in arbitrary command execution on the target server. The exploit is operational and can be used to obtain a reverse shell or execute other commands, provided the attacker has access to a valid setup token. The repository is structured simply, with the main exploit in 'main.py', a README with usage instructions, and standard license and gitignore files.

This repository is a Java-based graphical exploitation tool targeting Metabase servers vulnerable to CVE-2023-38646 (unauthorized setup-token exposure leading to RCE). The tool provides a GUI for three main functions: (1) vulnerability detection by extracting the setup-token from /api/session/properties, (2) remote command execution via /api/setup/validate using a custom JSON payload, and (3) memory shell injection (Godzilla or cmd shell) for persistent access, also via /api/setup/validate. The code leverages OkHttp for HTTP(S) requests and bypasses SSL verification for HTTPS. The main entry point is Main.java, which implements the GUI and core logic. The tool requires the user to specify the target URL and optionally the path to metabase.jar. The exploit is operational, providing both detection and exploitation capabilities, including persistent access via memory shell injection. No hardcoded IPs or domains are present; endpoints are constructed dynamically based on user input.

This repository provides two Python scripts, 'single.py' and 'mass.py', to exploit the Metabase pre-auth remote code execution vulnerability (CVE-2023-38646). The exploit works by first retrieving a setup token from the target Metabase instance via the '/api/session/properties' endpoint. It then crafts a malicious payload that abuses the H2 database engine's trigger functionality, sending it to the '/api/setup/validate' endpoint. The payload executes arbitrary shell commands on the server by injecting a JavaScript trigger that calls 'java.lang.Runtime.getRuntime().exec' with a user-supplied command (base64-encoded and decoded on the target). 'single.py' targets a single Metabase instance, while 'mass.py' can exploit multiple targets in parallel, as specified in a file. Both scripts are operational exploits, requiring only the target URL(s) and the command to execute. The repository is focused, with clear usage instructions and references to public advisories and proof-of-concept writeups.

This repository contains a Python proof-of-concept exploit for CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase. The main exploit file, CVE-2023-38646.py, takes as input a target URL, a setup token (retrieved from /api/session/properties), and a Burp Collaborator endpoint. It crafts a malicious payload using the H2 database connection string to inject a Java alias that executes arbitrary shell commands. The default payload triggers the target server to make a callback to the supplied Burp Collaborator endpoint, confirming code execution. The exploit is a standalone script and does not rely on any exploitation framework. The repository also includes a README with usage instructions and a GPL license. The attack vector is network-based, targeting the Metabase setup API before authentication is required. The exploit demonstrates the vulnerability but does not provide a weaponized or easily customizable payload beyond the supplied command.

This repository contains a Python exploit script (CVE-2023-38646.py) and a README for CVE-2023-38646, a pre-authentication remote code execution (RCE) vulnerability in Metabase. The exploit targets the Metabase setup process by first retrieving a setup token from the /api/session/properties endpoint. If the token is present, the script can send a crafted payload to the /api/setup/validate endpoint, exploiting a SQL injection vulnerability to achieve RCE. The payload is user-supplied as a base64-encoded string, typically used to spawn a reverse shell or execute arbitrary commands on the target server. The README provides usage instructions and context, including how to set up a vulnerable Metabase instance for testing. The exploit is operational, requiring only a vulnerable Metabase instance and a suitable payload. The main attack vector is network-based, targeting HTTP endpoints exposed by Metabase. The repository is well-structured, with clear separation between exploit code and documentation.

This repository contains a Python proof-of-concept exploit for CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase (open source <0.46.6.1, Enterprise <1.46.6.1). The exploit leverages a flaw in the Metabase setup process, allowing an attacker with a valid setup token (obtainable from /api/session/properties) to send a specially crafted payload to the /api/setup/validate endpoint. The payload abuses the H2 database connection string to inject a JavaScript trigger that executes arbitrary system commands on the server. The exploit.py script takes three arguments: the target URL, the setup token, and the command to execute. The command is base64-encoded and executed via bash on the target. The repository is structured simply, with a single exploit script, a README providing usage instructions and context, and a license file. The exploit is operational and can be used to gain remote code execution, including reverse shells, on vulnerable Metabase instances.