CVE-2024-9264 PoC — Grafana SQL Expressions allow for remote code execution

Source

https://github.com/amalpvatayam67/day05-grafana-sqlexpr-lab

Associated Vulnerability

Title:Grafana SQL Expressions allow for remote code execution (CVE-2024-9264)
Description:The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Description

Grafana SQL Expressions → DuckDB LFI (CVE-2024-9264)

Readme

# Day 5 – Grafana SQL Expressions → DuckDB LFI (CVE-2024-9264)

**TL;DR:** On affected Grafana 11.x builds, a logged-in Viewer can use **SQL Expressions**.
Grafana forwards the expression to **DuckDB** on the server. With `read_text()` / `read_blob()`,
you can read local files (LFI). We plant a flag at `/opt/flag.txt`.

## Build → Run
```bash
docker build -t day5-grafana .
docker rm -f day5 2>/dev/null || true
docker run -d --name day5 -p 3000:3000 day5-grafana

File Snapshot


 [4.0K]  /data/pocs/981dc88dc6c6cbc01c1f3cc1590168da18535efa
├── [ 294]  cookies.txt
├── [ 255]  DISCLAIMER.md
├── [1.4K]  Dockerfile
├── [ 455]  entrypoint.sh
├── [1021]  exploit.sh
├── [ 186]  grafana.ini
└── [ 471]  README.md

0 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!