Attackers can exploit the ElasticSearch vulnerability to obtain webshell permissions of a website.

Source: Internet
Author: User
Tags perl script

Attackers can exploit the ElasticSearch vulnerability to obtain webshell permissions of a website.

ElasticSearch is usually deployed in many large enterprises. Therefore, further penetration makes sense after obtaining an intranet permission. In the previous article "ElasticSearch vulnerability practice: Using perl to rebound shell", we analyzed the shell that gets a rebound through the perl script. The reverse shell has a certain timeliness, this article discusses non-perl penetration.

1. Search for the keyword "Elasticsearch" through the shodanhq Search Engine"

First, register a user at After successful registration, you must activate the user by email. After activation, you can use it. Enter the keyword "Elasticsearch" in the search box to search. 1 shows that the query records are displayed in top countries. In the early search results, China ranked first, followed by a large number of servers deployed in the United States. Select an IP address randomly in the result list. In this example, select a foreign IP address.

Figure 1 search keyword "ElasticSearch"

2. vulnerability testing through the FireFox portable version

Enter the address " 9200/_ search?" In the FireFox portable version? Pretty, and then click Load Url, as shown in 2. Enter the following code in Post Data:

The purpose of this Code is to read the content of the/etc/passwd file in the linux operating system. If the vulnerability exists, it reads the content of the passwd file. Otherwise, it indicates that the vulnerability does not exist.

Figure 2 test whether the vulnerability exists

3. query sensitive files

In Post data, change exec (\ "cat/etc/passwd \") to exec (\ "locate *. php \ "), exec (\" locate *. SQL \ "), exec (\" locate *. conf \ ") to obtain sensitive file information. 3 indicates that the server may use php and the cms system may be wordpress.

Figure 3 system Sensitive Information Retrieval

Use the following code to directly obtain the path "/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" for the wp-config.php file, as shown in 4:


Figure 4 obtain the path to the wp-config.php

4. Locate the website and its actual path

Run "cat/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" to read the file content, as shown in figure 5, get the mysql database root account and password as well as the website domain name

. By viewing the root directory of the website, you can also find mysql file backup. You can use the flashget download tool to download it to your local computer, as shown in figure 6.

Figure 5 obtain website domain name and other information

Figure 6 download database files

Related Article

Cloud Intelligence Leading the Digital Future

Alibaba Cloud ACtivate Online Conference, Nov. 20th & 21st, 2019 (UTC+08)

Register Now >

Starter Package

SSD Cloud server and data transfer for only $2.50 a month

Get Started >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.