Vulnerability introduction
Grafana is a cross-platform, open-source data visualization web application platform0.0-8.3.Version 0 has a directory traversal vulnerability, which allows unauthorized users to access local files. The attack path is Public Plugins X, where X is the plugin ID of any installed plugins.
The range is represented
Start the shooting range environment and run the docker-compose up -d command to pull the shooting range environment.
Use the docker ps command to view and know that the shooting range is on port 3000 of the local machine, and access the shooting range environment.
If you have prepared a POC for the Grafana directory traversal vulnerability (CVE-2021-43798), you can use BurpSuite to intercept the request packet, construct an attack payload, and send it.
The etc passwd file was successfully read, and the vulnerability was successfully reproduced, and now we are trying to get the flag of the range.
Observed that there is a special user grafana, try to look at its historical commands.
flag is not among them, and some configuration files of grafana have been queried, and three of them are more important:
etc/grafana/grafana.ini、/var/lib/grafana/grafana.db、/usr/local/etc/grafana/grafana.ini
They are the global configuration file, Grafana database DB file, and default configuration file. Access these three files to see if you can come up with new ideas.
After some checking, I didn't get any particularly valid information, so I went to the login screen to check it. The login box is found, try to log in with the weak password combination admin admin, the login is successful, and after searching, the database address is found, and the database is ready to enter the database to query the flag.
After clicking on the test, an error message appears, indicating that the database service has not been started, and this method does not work. After searching on the Internet, there is no other way to obtain the flag of the shooting range, and it is guessed that the shooting range may only be used to reproduce the directory traversal vulnerability, and no flag is set.
POC Preparation
The reason why the poc fails to run may be due to the fact that the requests module in python uses urllib3 to automatically change the path of the input, you can refer to other solutions.
Python-based POC
PocSuite 3-based POC
Each field represents the vulnerability inclusion ID, POC version, POC author, vulnerability publication date, POC writing date, POC update date, vulnerability ** address, POC name, vulnerability vendor homepage address, vulnerability application name, vulnerability impact version, vulnerability type, vulnerability description, POC third-party module dependency, POC classification, POC default protocol, default port, search dark, Request traffic suricata rules and response traffic suricata rules.
Modify the exploit method based on the details of the CVE-2021-43798 vulnerability.
Nuclei-based POC