CVE-2021-41277

This PoC exploits a Local File Inclusion (LFI) vulnerability in Metabase by sending a crafted HTTP request to read arbitrary files (e.g., /etc/passwd). It checks for the presence of 'root:' in the response to confirm vulnerability.

This repository contains a Go-based proof-of-concept for CVE-2021-41277, an information disclosure vulnerability in Metabase. The exploit checks for the vulnerability by attempting to read the /etc/passwd file via a crafted GeoJSON API request.

This repository contains a Ruby script that scans a list of domains for CVE-2021-41277, an SSRF vulnerability in Metabase. It checks for the presence of '/etc/passwd' content in the response to determine vulnerability.

This repository contains a writeup describing CVE-2021-41277, a local file inclusion vulnerability in Metabase's custom GeoJSON map feature. The issue allows unvalidated URLs to be loaded, potentially leading to information disclosure.

This script checks for CVE-2021-41277, a local file inclusion vulnerability in Metabase versions x.40.0-x.40.4. It attempts to read /etc/passwd via the GeoJSON API endpoint to confirm vulnerability.

This repository contains a Go-based plugin for LeakIX designed to detect CVE-2021-41277, a Local File Inclusion (LFI) vulnerability in Metabase. The plugin sends a crafted HTTP request to exploit the LFI and verifies the response for signs of successful exploitation.

This PoC exploits a local file inclusion vulnerability in Metabase's GeoJSON map feature (CVE-2021-41277) by sending a crafted request to read arbitrary files from the server. The script uses curl to fetch files via the vulnerable endpoint.

This repository contains a Python script that scans for CVE-2021-41277, an arbitrary file read vulnerability in Metabase. It uses the FOFA API to fetch potential targets and checks for vulnerability by attempting to read /etc/passwd.

This PoC exploits CVE-2021-41277, an arbitrary file read vulnerability in Metabase, by sending crafted requests to the `/api/geojson` endpoint with `file://` URLs to read sensitive files like `/etc/passwd` or `win.ini`.

This repository contains a functional Python script that exploits CVE-2021-41277, an arbitrary file read vulnerability in MetaBase. The script sends a crafted request to the '/api/geojson' endpoint with a 'file:/etc/passwd' payload to read sensitive files.