Skip to content

zer0yu/CVE-2021-43798

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.github/workflows
.github/workflows
 
 
.goreleaser.yml
.goreleaser.yml
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

GrafanaArbitraryFileRead

Usage

1. show info

❯ go run main.go -s                                               
[INF] VulnInfo:
{
  "Name": "Grafana Arbitrary File Read",
  "VulID": "nil",
  "Version": "1.0",
  "Author": "z3",
  "VulDate": "2021-12-07",
  "References": [
    "https://nosec.org/home/detail/4914.html"
  ],
  "AppName": "Grafana",
  "AppPowerLink": "https://grafana.com/",
  "AppVersion": "Grafana Version 8.*",
  "VulType": "Arbitrary File Read",
  "Description": "An unauthorized arbitrary file reading vulnerability exists in Grafana, which can be exploited by an attacker to read arbitrary files on the host computer without authentication.",
  "Category": "REMOTE",
  "Dork": {
    "Fofa": "app=\"Grafana\"",
    "Quake": "",
    "Zoomeye": "",
    "Shodan": ""
  }
}%

2. verify

echo vulfocus.fofa.so:55628 | go run main.go -v -t 20
http://vulfocus.fofa.so:55628

3. exploit

echo http://vulfocus.fofa.so:51766 | go run main.go -m exploit -v

Realization of the utilization idea in reference 1. To extract more information please modify the regular in the getAccesskey function.

Reference

  1. grafana最新任意文件读取分析以及衍生问题解释
  2. Grafana Unauthorized arbitrary file reading vulnerability

Disclaimer

This procedure is for security self-inspection only, please consciously comply with local laws.

About

Grafana Arbitrary File Reading Vulnerability

Resources

Readme
Activity

Stars

27 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases 2

v1 Latest
Dec 7, 2021
+ 1 release

Packages

No packages published

Languages