P1: Easy Access to Grafana Dashboard
2021-08-09 17:06:26 Author: infosecwriteups.com(查看原文) 阅读量:26 收藏

Mahendra Purbia (Mah3Sec_)

Hey folks,
I’m here to share one of my old findings. In which accessed the grafana dashboard with default credentials, which lead to sensitive information about the server’s analytics and other information on resource utilization.

You all must be thinking about the need to write this easy finding even beginners can find this issue: well, my answer is only 50% of bug hunters look for this flaw because they follow their checklists. And as penetration testers, our work is to test & report every vulnerability even if it is very low to High. I’m sharing this for hunters and beginner-level pen-testers who perform or provide penetration testing services or work for a company. These simple vulnerabilities can give us juicy data & and access to the panel.

I was testing a target so let’s call it redacted.com. I used subfinder & httpx to find active subdomains:-

Subfinder -d redacted.com | httpx -o redacted.txt

Redacted.com using an outdated version of Grafana V6.0.2. And there, I noticed that one subdomain is https://grafana.redacted.com which is redirected to https://grafana.redacted.com/login, and only admin or internal user can access the dashboard. So I started to look for CVE’s & tries some bypass techniques to access dashboard but got no success.

What am I do now?

what I do now is there any other way to get access to the dashboard.

Maybe there is a way to get access

Suddenly, my spider-sense warned me that I missed an essential and easy part of finding vulnerability on the Admin panel: trying default credentials.

How did I forget about the first rule to test the admin panel?

And grafana default credentials are admin: admin, which is mentioned in grafana docs. I tried admin: admin & logged in as admin.

Logged in| sorry but for a good reason, I’m not sharing the full video POC :)

Impact: This can lead to sensitive information about the server’s analytics and other information on resource utilization.
An attacker can also generate an API key to pull the resources out of this platform to an attacker’s control domain.

Fill in the blanks:

Who is responsible for this mistake: ______________😁

As per Bugcrowd VRT, this flaw has a P1 severity, and the reward should be in 4 digits, but I found it on VDP(discontinued program), and they pay based on their budget for bounty programs.

Bounty: $$$(3-digit)

Note: Never underestimate spider-sense and try everything you have & never-give-up.

unauthenticated stored XSS in Grafana prior version 6.3.3 Write-up by Mohamed Serwah : https://t.co/8jiFU7few6?amp=1

Twitter: https://twitter.com/Mah3Sec_

Thanks for reading my write-up, Happy Hunting!

文章来源: https://infosecwriteups.com/p1-easy-access-to-grafana-dashboard-9b7df82329b6?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh