Attackers can exploit the ElasticSearch vulnerability to obtain webshell permissions of a website.
ElasticSearch is usually deployed in many large enterprises. Therefore, further penetration makes sense after obtaining an intranet permission. In the previous article "ElasticSearch vulnerability practice: Using perl to rebound shell", we analyzed the shell that gets a rebound through the perl script. The reverse shell has a certain timeliness, this article discusses non-perl penetration.
1. Search for the keyword "Elasticsearch" through the shodanhq Search Engine"
First, register a user at shodanhq.com. After successful registration, you must activate the user by email. After activation, you can use it. Enter the keyword "Elasticsearch" in the search box to search. 1 shows that the query records are displayed in top countries. In the early search results, China ranked first, followed by a large number of servers deployed in the United States. Select an IP address randomly in the result list. In this example, select a foreign IP address.
Figure 1 search keyword "ElasticSearch"
2. vulnerability testing through the FireFox portable version
Enter the address "http://192.121.xxx.xxx: 9200/_ search?" In the FireFox portable version? Pretty, and then click Load Url, as shown in 2. Enter the following code in Post Data:
The purpose of this Code is to read the content of the/etc/passwd file in the linux operating system. If the vulnerability exists, it reads the content of the passwd file. Otherwise, it indicates that the vulnerability does not exist.
Figure 2 test whether the vulnerability exists
3. query sensitive files
In Post data, change exec (\ "cat/etc/passwd \") to exec (\ "locate *. php \ "), exec (\" locate *. SQL \ "), exec (\" locate *. conf \ ") to obtain sensitive file information. 3 indicates that the server may use php and the cms system may be wordpress.
Figure 3 system Sensitive Information Retrieval
Use the following code to directly obtain the path "/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" for the wp-config.php file, as shown in 4:
Figure 4 obtain the path to the wp-config.php
4. Locate the website and its actual path
Run "cat/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" to read the file content, as shown in figure 5, get the mysql database root account and password as well as the website domain name xxxxxxxxxxxxx.com
. By viewing the root directory of the website, you can also find mysql file backup. You can use the flashget download tool to download it to your local computer, as shown in figure 6.
Figure 5 obtain website domain name and other information
Figure 6 download database files