关联漏洞
标题:
Grafana 路径遍历漏洞
(CVE-2021-43798)
描述:Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 8.0.0-beta1至8.3.0存在路径遍历漏洞,攻击者可利用该漏洞执行目录遍历攻击,访问本地文件。
描述
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
介绍
# CVE-2021-43798 – Grafana Exploit
## About
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
This vulnerability affects `Grafana 8.0.0-beta1 to 8.3.0`.
According to Shodan data, there are just over 2,000 Grafana servers exposed online, with the majority residing in the US and Europe, as can be seen in the figure below.
For more information:
https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
## Contributors
[@pedrohavay](https://twitter.com/pedrohavay) and @acassio22
# Disclaimer
This project is created only for **educational purposes** and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project.
# Demo
# Installation
git clone https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798
cd exploit-grafana-CVE-2021-43798
pip install -r requirements.txt
# Usage
1. Collect all Grafana URLs in a single file. For example: `targets.txt`
2. Use the script
python3 exploit.py
# Requirements
- Python 3
- SQLite3
文件快照
[4.0K] /data/pocs/d928dd34da7e66b5881b7978569f529a4523e042
├── [246K] demo.gif
├── [5.4K] exploit.py
├── [ 888] paths.txt
├── [ 375] payload.txt
├── [1.2K] README.md
├── [ 229] requirements.txt
├── [1.8K] secure.py
├── [ 35] targets.txt
└── [ 284] utils.py
0 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。