Attackers can exploit the ElasticSearch vulnerability to obtain webshell permissions of a website.

Source: Internet
Author: User
Tags perl script

Attackers can exploit the ElasticSearch vulnerability to obtain webshell permissions of a website.

ElasticSearch is usually deployed in many large enterprises. Therefore, further penetration makes sense after obtaining an intranet permission. In the previous article "ElasticSearch vulnerability practice: Using perl to rebound shell", we analyzed the shell that gets a rebound through the perl script. The reverse shell has a certain timeliness, this article discusses non-perl penetration.

1. Search for the keyword "Elasticsearch" through the shodanhq Search Engine"

First, register a user at shodanhq.com. After successful registration, you must activate the user by email. After activation, you can use it. Enter the keyword "Elasticsearch" in the search box to search. 1 shows that the query records are displayed in top countries. In the early search results, China ranked first, followed by a large number of servers deployed in the United States. Select an IP address randomly in the result list. In this example, select a foreign IP address.

Figure 1 search keyword "ElasticSearch"

2. vulnerability testing through the FireFox portable version

Enter the address "http://192.121.xxx.xxx: 9200/_ search?" In the FireFox portable version? Pretty, and then click Load Url, as shown in 2. Enter the following code in Post Data:

The purpose of this Code is to read the content of the/etc/passwd file in the linux operating system. If the vulnerability exists, it reads the content of the passwd file. Otherwise, it indicates that the vulnerability does not exist.

Figure 2 test whether the vulnerability exists

3. query sensitive files

In Post data, change exec (\ "cat/etc/passwd \") to exec (\ "locate *. php \ "), exec (\" locate *. SQL \ "), exec (\" locate *. conf \ ") to obtain sensitive file information. 3 indicates that the server may use php and the cms system may be wordpress.

Figure 3 system Sensitive Information Retrieval

Use the following code to directly obtain the path "/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" for the wp-config.php file, as shown in 4:

 

Figure 4 obtain the path to the wp-config.php

4. Locate the website and its actual path

Run "cat/usr/share/nginx/xxxxxxxxxxxxx/wp-config.php" to read the file content, as shown in figure 5, get the mysql database root account and password as well as the website domain name xxxxxxxxxxxxx.com

. By viewing the root directory of the website, you can also find mysql file backup. You can use the flashget download tool to download it to your local computer, as shown in figure 6.

Figure 5 obtain website domain name and other information

Figure 6 download database files

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.