Grafana path traversal arbitrary file read

Repository is a small Python exploit toolkit for CVE-2021-43798 affecting Grafana 8.0.0-beta1 through 8.3.0. It contains two functional scripts: (1) grafana_poc.py, an interactive unauthenticated arbitrary file-read exploit that abuses Grafana plugin asset traversal paths by requesting /public/plugins/<plugin>/../../...<absolute path>; and (2) grafana_pass_decryptor.py, an offline post-exploitation helper that parses grafana.ini to recover secret_key, decrypts encrypted secrets stored in grafana.db using AES-CFB or AES-GCM with PBKDF2-derived keys, and exports user password hashes from the SQLite user table, including hashcat mode 10900 output. The PoC randomly selects from a hardcoded list of Grafana plugin IDs to build the traversal URL, prompts the operator for absolute file paths, and saves returned content under a local output directory while sanitizing path components. The decryptor is not a network exploit itself; it is intended to process files obtained from the file-read vulnerability and extract actionable credentials/secrets. Repository structure is minimal: README with usage/remediation details, two Python scripts, requirements.txt, and .gitignore. Overall purpose is end-to-end exploitation and follow-on credential extraction for authorized testing of vulnerable Grafana instances.

This repository is a small Python post-exploitation toolkit for Grafana credential recovery, not a standalone initial-access exploit. It contains two executable scripts and a README. AESDecrypt.py is the primary recovery tool: it accepts either a single Base64 ciphertext or a file of ciphertexts, derives a 32-byte AES key from a supplied or default Grafana secret using PBKDF2-HMAC-SHA256 with 10,000 iterations and an 8-byte salt taken from the ciphertext prefix, and decrypts the payload in AES-CFB mode. Its purpose is to recover plaintext passwords stored in Grafana's data_source table. The script defaults to the Grafana secret SW2YcwTIb9zpOOhoPsMm if no key is provided and explicitly instructs the operator to obtain secret_key from /etc/grafana/grafana.ini. grafana2hashcat.py is a helper utility for a second credential path: it reads lines in hash,salt format from the Grafana user table, Base64-encodes the salt and binary digest, and emits Hashcat mode 10900 strings in the form sha256:10000:base64_salt:base64_digest. This does not crack passwords itself; it prepares them for offline cracking with Hashcat. The README ties both tools to CVE-2021-43798, a Grafana path traversal vulnerability affecting versions 8.0.0-beta1 through 8.3.0, and provides example HTTP requests against /public/plugins/zipkin/../../../../... to retrieve /etc/grafana/grafana.ini and /var/lib/grafana/grafana.db. Therefore, the overall attack chain is: exploit Grafana file read, obtain config/database, extract secret_key and stored credentials, then use this repository to decrypt data source passwords or convert user password hashes for cracking. No reverse shell, command execution, persistence, or network beaconing is implemented in the code itself; the capability is credential access and offline password recovery.

This repository is a standalone Python exploit for Grafana CVE-2021-43798, an unauthenticated directory traversal/LFI vulnerability in Grafana 8.0.0 through 8.3.0. The repository contains 6 files: a README with usage notes, the main exploit script (exploit.py), two wordlists (payload.txt and paths.txt), a sample target list (targets.txt), and a small utility file (utils.py) containing ASCII art. The script is interactive and uses PyInquirer to ask for a target list file, then iterates over each target URL. Operationally, exploit.py first brute-forces a valid plugin name from payload.txt by requesting /public/plugins/<plugin>/..%2f.../etc/passwd until it receives HTTP 200. Once a working plugin path is found, it iterates through traversal paths from paths.txt to download sensitive files such as Grafana configuration files, grafana.db, passwd/shadow, SSH keys, shell histories, and procfs network/process artifacts. Retrieved files are saved locally in a directory named after the target. A notable post-exploitation feature is credential recovery: if grafana.db is downloaded, the script optionally opens the SQLite database, queries data_source.secure_json_data, extracts encrypted password fields, and attempts to decrypt them using a Grafana secret_key recovered from defaults.ini or grafana.ini. If no config-derived key is found, it falls back to the hardcoded default secret SW2YcwTIb9zpOOhoPsMm. This makes the tool more than a simple detector; it is a functional file disclosure and credential extraction exploit. The code is clearly intended for web-based remote exploitation over HTTP/HTTPS. It disables TLS verification and suppresses urllib3 warnings. There is a minor implementation issue: in the grafana.ini branch it mistakenly reads found["defaults.ini"] instead of found["grafana.ini"], but this does not change the overall purpose. The import 'from secure import decrypt' implies an additional dependency/module not present in the provided file list, but the exploit logic still clearly shows intended password decryption behavior.

Repository contains a single Python exploit script (GrafTraverse.py) and a README. The script is a standalone operational PoC for CVE-2021-43798, an unauthenticated Grafana directory traversal vulnerability. It constructs a malicious URL by appending /public/plugins/alertlist/ plus an 8-level ../ traversal string and a chosen filesystem path to a user-supplied Grafana base URL, then issues HTTP GET requests with requests.Session and redirects disabled. The exploit checks for successful file disclosure by requiring HTTP 200 with non-empty content and filtering obvious plugin asset responses containing strings like function, define(, or export. Primary capability is arbitrary file read from the remote Grafana server. The built-in automated loot list in code targets sensitive files including /etc/passwd, /etc/grafana/grafana.ini, /var/lib/grafana/grafana.db, /etc/hosts, /root/.ssh/id_rsa, and /var/log/grafana/grafana.log. Retrieved content can be displayed in the terminal and optionally saved to a date-based local output directory. The script supports single-target mode and batch mode via a target list file, making it useful for repeated exploitation across multiple hosts. The README describes a richer 'mini exploitation framework' with features such as plugin brute-force, interactive mode, wordlists, proxy support, custom headers, JSON/CSV logging, and hash extraction, but the provided Python file appears simpler and does not fully implement all documented features in the visible code. Based on the actual script content, this repository should be treated as a standalone Python exploit rather than a formal framework module. Overall purpose: automate exploitation of vulnerable Grafana instances to exfiltrate sensitive local files over HTTP.

This repository is a standalone Python proof-of-concept/operational exploit for Grafana CVE-2021-43798, an unauthenticated directory traversal/local file inclusion vulnerability in Grafana 8.0.0 through 8.3.0. The repository contains six files: a README with usage guidance, exploit.py as the main executable, paths.txt listing sensitive remote files to retrieve, payload.txt listing candidate plugin names used to construct traversal URLs, targets.txt with example target URLs, and utils.py containing only ASCII-art branding. The script is interactive and asks for a target list file, then iterates over each target and each plugin name until it finds a plugin path that successfully returns /etc/passwd via /public/plugins/<plugin>/..%2f traversal. Once a working plugin is identified, it attempts to download a predefined set of sensitive files including passwd, shadow, Grafana configs, SSH keys, procfs network/process data, and /var/lib/grafana/grafana.db. Retrieved files are written locally into a directory named after the sanitized target URL. If grafana.db is recovered, the script optionally opens the SQLite database, extracts secure_json_data from the data_source table, derives the Grafana secret_key from defaults.ini or grafana.ini if available (otherwise using the hardcoded default SW2YcwTIb9zpOOhoPsMm), and attempts to decrypt stored datasource passwords. Overall, the exploit provides unauthenticated file disclosure plus post-exploitation credential recovery from Grafana datasource configuration, making it more than a simple detector.

The repository contains a single Python exploit script, CVE-2021-43798.py, targeting Grafana path traversal / arbitrary file read (CVE-2021-43798). It is a standalone exploit, not part of a larger framework. The script structure is simple: a hardcoded DIRECTORY_LIST of candidate Grafana plugin asset paths, a confirm_lfi() routine that iterates through those paths and appends /etc/passwd to identify a working traversal vector, an lfi_shell() routine that provides an interactive prompt for reading arbitrary files, argument parsing for --domain and --port, and signal handlers for graceful exit. Operationally, the exploit first sends HTTP GET requests to many /public/plugins/<plugin>/../../../../../../../.. traversal paths on the target host and port. If any request for /etc/passwd returns HTTP 200, it treats that plugin path as vulnerable and enters an interactive file-read mode. In that mode, the operator supplies arbitrary file paths, which are appended to the discovered traversal base and fetched over HTTP. Text responses are printed to stdout; undecodable binary content is written locally to /tmp as a randomly named .bin file. The exploit’s main capability is unauthenticated arbitrary file disclosure over the network against vulnerable Grafana instances. It does not include code execution, persistence, privilege escalation, or lateral movement functionality. The target is fingerprinted through Grafana-specific plugin endpoints, and the exploit is primarily suited for Unix-like deployments because it validates success using /etc/passwd.

This repository contains two Bash scripts that exploit CVE-2021-43798, a path traversal vulnerability in Grafana (<8.3.1). The scripts are: 1. cve-2021-43798-enum.sh: Targets Linux-based Grafana servers. It enumerates known plugins and attempts to exploit the path traversal vulnerability to read /etc/passwd and other sensitive files. If a vulnerable plugin is found, it provides curl commands to read configuration files and download the Grafana database. 2. cve-2021-43798-enum-win.sh: Targets Windows-based Grafana servers. It tests a set of plugins and various traversal encodings to find a vulnerable combination, then reads Windows system files (win.ini, hosts), Grafana configuration, and attempts to download the Grafana database. It also provides manual curl commands for further exploitation. Both scripts require the attacker to supply the target Grafana URL. They automate the process of identifying vulnerable plugins and exploiting the path traversal to extract sensitive files, including the Grafana database, which can be used to extract user credentials. The scripts are proof-of-concept (POC) exploits and do not provide post-exploitation capabilities beyond file read and database extraction.

This repository provides two Python tools for post-exploitation of Grafana instances, specifically targeting credentials stored in the Grafana database. The main exploit scenario involves first leveraging CVE-2021-43798, a path traversal vulnerability in Grafana 8.0.0-beta1 through 8.3.0, to download sensitive files such as the configuration file (grafana.ini) and the database (grafana.db). AESDecrypt.py is used to decrypt AES-256 encrypted data source passwords from the data_source table in the database, using either a default or extracted secret key. grafana2hashcat.py converts PBKDF2_HMAC_SHA256 password hashes from the user table into a format compatible with Hashcat, enabling offline password cracking. The repository includes a detailed README with usage instructions, exploitation workflow, and references to the original vulnerabilities and tools. No network endpoints or remote services are contacted by the scripts; all operations are performed on files obtained from a compromised Grafana instance. The code is operational and suitable for use in real-world post-exploitation scenarios.

This repository contains a Python proof-of-concept exploit for CVE-2021-43798, a directory traversal vulnerability in Grafana 8.3.0. The repository consists of a README.md describing the vulnerability and usage context, and a single exploit script (readFiles.py). The script allows an attacker to interactively specify files to read from a vulnerable Grafana server by sending crafted HTTP GET requests to a specific endpoint that abuses the directory traversal flaw. The exploit is operational from the command line, requiring the attacker to provide the target's IP address and port. The main capability is reading arbitrary files from the server's filesystem, which can lead to further compromise if sensitive files are accessed. No detection or fake code is present; this is a functional exploit script.

This repository contains an automated exploit tool for Grafana CVE-2021-43798, a directory traversal vulnerability affecting certain versions of Grafana. The main script, 'grafxploit.py', is a Python 3 tool that scans for vulnerable Grafana instances and attempts to extract sensitive files from the server by exploiting the directory traversal flaw in plugin endpoints. The tool supports both single and multiple target scanning, customizable output directories, and allows the user to specify additional file paths to target. The default list of targeted files includes critical system files (/etc/passwd, /etc/shadow), SSH keys, Grafana configuration and database files, and other sensitive files commonly found on Linux systems. The tool automates the process of identifying a vulnerable plugin, constructing the exploit URL, and downloading the files if accessible. The repository also includes a README with usage instructions and a 'common/paths.txt' file listing default file paths to target. The exploit is operational and provides real-world impact by enabling attackers to exfiltrate sensitive data from vulnerable Grafana servers.

This repository provides a Bash script (grafana-cve-2021-43798.sh) that automates exploitation of the Grafana CVE-2021-43798 path traversal vulnerability. The script reads a list of known vulnerable plugin paths from 'paths.txt', each containing path traversal sequences designed to access sensitive files on the target server (both Linux and Windows targets are included). The script sends HTTP requests to a specified BASE_URL (default: https://target.com), using curl's --path-as-is option to avoid path normalization, and attempts to retrieve the contents of files such as /etc/passwd, Windows SAM, and win.ini. Successful responses (HTTP 200) are saved to the 'hits/' directory for later analysis. The repository is structured with a README.md (usage instructions), the main exploit script, and a comprehensive list of traversal payloads in paths.txt. This is a proof-of-concept exploit and does not include advanced payloads or post-exploitation features.

This repository contains a Python exploit script (grafana-exploit.py) and a README.md for CVE-2021-43798, a Local File Inclusion (LFI) vulnerability in Grafana. The exploit script targets a vulnerable Grafana server by sending HTTP GET requests to various plugin endpoints, attempting to traverse directories and access sensitive files such as /etc/passwd, grafana.ini, and the Grafana database. The script confirms successful exploitation by checking for known file contents (e.g., 'root:x:0:0:root' in /etc/passwd) and can extract secrets from the configuration file. The README provides usage instructions, indicating that the user should set the target IP and port in the script before running it. The exploit is operational and allows attackers to read arbitrary files from the server, potentially exposing credentials and other sensitive information.

This repository contains a Python exploit script (exploit.py) and a README for CVE-2021-43798, a path traversal vulnerability in Grafana versions 8.0.0 through 8.3.0. The exploit.py script allows an unauthenticated attacker to read arbitrary files from the server by sending HTTP GET requests to crafted plugin paths that traverse the filesystem (e.g., /public/plugins/alertGroups/../../../../../../../..). The script first tests a list of possible vulnerable plugin paths by attempting to read /etc/passwd. If successful, it provides an interactive shell for the user to specify additional files to read. Binary files are saved to /tmp with a random filename. The exploit is operational, providing a working file read capability, and targets network-accessible Grafana instances. The repository is straightforward, with the main logic in exploit.py and usage instructions in the README.

This repository contains a Python exploit script (CVE-2021-43798_exploit.py) and a README.md. The exploit targets CVE-2021-43798, a directory traversal vulnerability in Grafana versions 8.0.0-beta1 through 8.3.0, allowing arbitrary file read on both Linux and Windows servers. The script prompts the user for the target OS and file path, then crafts a traversal payload to access files via the vulnerable /public/plugins/<plugin_name>/<traversal_payload> HTTP endpoint. The plugin name is randomly selected from a list of known plugins to increase the chance of success. The exploit is interactive, allowing repeated file reads. The README documents the exploit's purpose and its compatibility with both Windows and Linux targets. No hardcoded IPs or domains are present; the user supplies the target host as a command-line argument. The repository is focused, with a single Python exploit file and supporting documentation.

This repository contains an automated exploit tool ('grafxploit.py') targeting Grafana instances vulnerable to CVE-2021-43798, a path traversal vulnerability in the plugin resource handler. The tool is written in Python and is designed to scan single or multiple targets, identify vulnerable plugins, and extract sensitive files from the server. It leverages a list of common sensitive file paths (provided in 'common/paths.txt') and attempts to read them via crafted HTTP requests. If /etc/passwd is successfully retrieved, it parses the file to identify user accounts and then targets user-specific files such as SSH keys and shell histories. The exploit is operational and can be used to automate the extraction of credentials, configuration files, and other sensitive data from affected Grafana servers. The repository is structured with a main exploit script, a README for usage instructions, a license file, and a list of file paths to target.

This repository provides a proof-of-concept exploit and utility for CVE-2021-43798, a directory traversal vulnerability in Grafana (versions 8.0.0 to 8.3.0). The exploit allows unauthenticated attackers to read arbitrary files from the server by abusing plugin endpoints with crafted paths (e.g., /public/plugins/alertGroups/../../../../../../../../etc/passwd). The README documents the vulnerability, provides example vulnerable endpoints, and lists sensitive files that can be targeted. The Go code (AESDecrypt.go) is a utility to decrypt AES-encrypted data source passwords from the Grafana database (grafana.db) using the secret key from the configuration file (grafana.ini). The code also demonstrates how to encrypt plaintext passwords for testing. The repository is structured with a single Go file containing the decryption logic and a detailed README explaining the vulnerability, exploitation steps, and decryption process. No detection scripts or fake exploits are present; the code is a working proof-of-concept for post-exploitation credential extraction.

This repository contains a Python proof-of-concept exploit for CVE-2021-43798, a directory traversal vulnerability in Grafana versions 8.0.0-beta1 through 8.3.0. The main file, CVE-2021-43798.py, provides both detection and exploitation capabilities. It can identify Grafana instances, check for vulnerable versions, and attempt to read sensitive files from the server by exploiting the directory traversal flaw in the /public/plugins/{plugin_id}/ endpoint. The exploit iterates through a list of known plugin IDs and attempts to access files such as /etc/passwd (Linux), win.ini (Windows), and Grafana's configuration files. The script supports both single-target and batch scanning modes, with optional multi-threading. The README.md provides background on the vulnerability, affected versions, and usage disclaimers. No hardcoded IPs or domains are present; the exploit is generic and targets user-supplied URLs.

This repository provides a Go-based exploit tool for Grafana's CVE-2021-43798 arbitrary file read vulnerability. The main entry point is `cmd/grafanaExp.go`, which implements a CLI with two primary commands: `exp` (to exploit a remote Grafana instance) and `decode` (to decrypt a downloaded database file locally). The exploit works by probing for vulnerable plugins, using a crafted HTTP GET request to the `/public/plugins/[plugin]/[payload]/[file_path]` endpoint to read sensitive files such as the configuration and database. It then extracts the secret key, downloads the database, and decrypts it to reveal sensitive data source information, including database credentials. The codebase is well-structured, with clear separation between CLI handling, HTTP requests, and exploitation logic. The repository also includes a custom HTTP client implementation and test suites. The exploit is operational and automates the full attack chain from vulnerability detection to credential extraction.

This repository contains a proof-of-concept (POC) exploit for an arbitrary file read vulnerability affecting Grafana version 8.*. The exploit is implemented in Python (exp.py) and is designed to test multiple target IP addresses listed in ip.txt. The script constructs HTTP requests to various plugin paths in Grafana, exploiting a directory traversal vulnerability to attempt to read the /etc/passwd file from the server. If the response contains evidence of the file (e.g., the string 'root:x'), the script reports the target as vulnerable. The README provides usage instructions, a list of payload paths, and context about the vulnerability. The repository is structured with a single exploit script (exp.py), a README, and a sample list of target IPs (ip.txt). The exploit demonstrates the vulnerability but does not provide weaponized or post-exploitation capabilities.

This repository is a proof-of-concept exploit for CVE-2021-43798, a directory traversal vulnerability in Grafana versions 8.0.0-beta1 to 8.3.0. The main exploit script (exploit.py) automates the process of testing a list of target Grafana servers (provided in targets.txt) for the vulnerability. It attempts to read sensitive files from the server's filesystem by exploiting the vulnerable /public/plugins/<plugin>/ path, using a list of plugin names (payload.txt) and file paths (paths.txt) to construct traversal payloads. If successful, the script can download files such as /etc/passwd, Grafana configuration files, and the Grafana database. If the database is obtained, the script attempts to extract and decrypt stored data source passwords using a default or extracted secret key, with decryption logic implemented in secure.py. The repository is structured with supporting files for payloads, paths, and utility functions, and is written in Python. The exploit is network-based and targets publicly accessible Grafana instances. No fake or destructive functionality is present; the code is a legitimate exploit and not merely a detection script.

This repository provides a proof-of-concept (PoC) exploit for CVE-2021-43798, a pre-authentication path traversal vulnerability in Grafana 8.x. The exploit is implemented in Go (exploit.go) and allows an unauthenticated attacker to read arbitrary files from the filesystem of a vulnerable Grafana server by abusing the /public/plugins/:pluginId endpoint. The exploit supports targeting a single host or a list of hosts, and can extract files such as /etc/passwd, the Grafana sqlite3 database (/var/lib/grafana/grafana.db), and the configuration file (conf/defaults.ini). The repository includes a README.md with detailed usage instructions, attack scenarios, and background on the vulnerability. The Makefile provides a build target for compiling the exploit. No framework is used; the exploit is standalone. The main attack vector is network-based, requiring the attacker to send crafted HTTP requests to the vulnerable endpoint. The exploit is a functional PoC and does not include weaponized or post-exploitation features.